Silverlight web request limitations

The following limitations have according to my experience with Silverlight to date the biggest impact on the architecture and feature set of IPTV applications:

Silverlight suppors only a limited subset of the standard .NET web request machinery, mostly due to security limitations.
 
The three most severe limitations are 1) you cannot connect to just any Url and 2) you cannot pass any Http Header in your request and 3) the Http Code you receive can be basically either 200 or not 200 (ok or not ok).
Url Restrictions
The complete description can be found here: http://msdn.microsoft.com/en-us/library/cc189008(VS.95).aspx
 
All Urls are classified in respect to the Url, from where the silverlight app (the .xap-File) has been downloaded, in the following three classes:
Cross-scheme URL (the silverlight app is downloaded from http:// and you try to access https://, or vice verse)
Cross-domain URL (you try to access a domain, different from the silverlight app domain)
Cross-zone URL (you try to access a domain, different from the silverlight app domain, AND this domain is in a more protected security zone of Internet Explorer (for example, accessing intranet Url from a page loaded from internet).
 
Here are the restrictions:
  WebClient and HTTP classes Image class, MediaElement class for progressive downloads (media, images, ASX, etc.) XAML source files Font files Streaming media
Allowed schemes HTTP, HTTPS HTTP, HTTPS, FILE HTTP, HTTPS, FILE HTTP, HTTPS, FILE HTTP
Cross-scheme access Not allowed Not allowed Not allowed No Not allowed from HTTPS
Cross-domain access Requires a security policy file. Not allowed if HTTPS to HTTPS. Allowed if not HTTPS to HTTPS Allowed if not HTTPS to HTTPS Not allowed Allowed if not HTTPS to HTTPS.
Cross-zone access (on Windows) Not allowed from an Internet zone to more restrictive zones. Not allowed from an Internet zone to more restrictive zones. Not allowed from an Internet zone to more restrictive zones. Not allowed from an Internet zone to more restrictive zones. Not allowed from an Internet zone to more restrictive zones.
Redirection allowed Allowed to same site and scheme.

Allowed cross-domain only with a security policy file.

Allowed to same scheme and same or different sites. Not allowed Not allowed Not allowed
 
 
Http Header Restrictions
The following Request Headers are allowed:

Accept
Cache-Control
Content-Encoding
Content-Language
Content-MD5
Content-Type
Expires
From
If-Match
If-Modified-Since
If-None-Match
If-Range
If-Unmodified-Since
Pragma
Translate

The following Request Headers are explicitely not allowed:

Accept-Charset
Accept-Encoding
Accept-Language
Accept-Ranges
Age
Allow
Allowed
Authorization
Connect
Connection
Content-Length
Content-Location
Content-Range
Content-Transfer-Encoding
Cookie
Date
Delete
ETag
Expect
Get
Head
Host
Keep-Alive
Last-Modified
Location
Max-Forwards
Options
Post
Proxy-Authenticate
Proxy-Authorization
Proxy-Connection
Public
Put
Range
Referer
Request-Range
Retry-After
Server
TE
Trace
Trailer
Transfer-Encoding
Upgrade
Uri
User-Agent
Vary
Via
Warning
WWW-Authenticate
X-Flash-Version

Leave a comment