Open Silverlight Client Access Policy
Description
Silverlight's ClientAccessPolicy.xml file controls cross-domain data access permissions, overriding the browser's same-origin policy that normally prevents websites from accessing resources across different domains. This file is typically located at the root of a web server (e.g., www.example.com/ClientAccessPolicy.xml). The detected configuration uses a wildcard (*) to allow unrestricted cross-domain access from any domain, which is appropriate only for public APIs and resources. This overly permissive configuration poses significant security risks for internal applications, authenticated services, or any site handling sensitive data.
Remediation
Replace the wildcard configuration with an explicit allowlist of trusted domains that require legitimate cross-domain access. Remove the ClientAccessPolicy.xml file entirely if cross-domain access is not needed. For public APIs, consider implementing additional security controls such as API keys or OAuth tokens. Example of a restrictive configuration:
<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="SOAPAction">
<domain uri="https://trusted-domain1.com"/>
<domain uri="https://trusted-domain2.com"/>
</allow-from>
<grant-to>
<resource path="/api/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>For internal or authenticated applications, never use wildcard domains. Implement CSRF tokens and validate the Origin and Referer headers on the server side as additional defense layers.