I’ve recently heard from a number of Silverlight developers who report that certain cross-domain web service requests from their applications work properly with Fiddler running, but fail when Fiddler is not active. Using lower-level tools like NetMon or by watching server logs, the developers note that their applications aren’t even issuing requests for the cross-domain policy file unless Fiddler is running.
So, what’s going on?
The answer is that Silverlight is suppressing web service requests to the target URLs (when Fiddler isn’t running) because the target URL is in the Local Intranet security zone, while the Silverlight application is running from the Internet security zone. Silverlight forbids cross-domain requests from the Internet to the Local Intranet[1], and doesn’t bother looking for a cross-domain policy file.
So why don’t these cross-zone requests fail while Fiddler is running?
The answer goes back to a post I wrote over half a decade ago: The Local Intranet Zone and Proxies: the Surprising Connection. In these developers’ environments, the target web services are mapped to the Local Intranet Zone by a proxy configuration script specified in the WinINET settings.
So, for example, if the proxy configuration script specifies a proxy for www.example.com, but returns “DIRECT” for services.dev.extranet.example.com, Silverlight will block a request from an application running at www.example.com (Internet) because the target service URL is mapped to the Local Intranet Zone.
While Fiddler is running, it overrides the local proxy settings, removing the proxy configuration script from the IE settings and using the configuration script itself internally when determining the upstream gateway. However, because Fiddler is a directly-configured proxy, Internet Explorer has no proxy configuration script while Fiddler is attached. Because no hostnames are configured to bypass Fiddler, all dotted hostnames are treated as Internet Zone unless they are manually mapped to another zone using the Internet Control Panel.
To resolve this problem such that the application works without Fiddler running, you can untick the “Include all sites that bypass the proxy server” option inside Internet Explorer’s Tools > Internet Options > Security > Local Intranet > Sites dialog. Alternatively, you could use the Advanced button in that dialog to map the page hosting the Silverlight application itself into the Intranet Zone, ensuring that the application and its web service URL are running from the same zone.
-Eric
[1] Blocking of Zone Elevation is a security mitigation adopted by a number of technologies including IE’s XDomainRequest object.