Silverlight & ClientPolicyAccess.xml

Brenden Kehren asked on March 25, 2014 07:39

The results of a penetration test showed the clientaccesspolicy.xml file at the root of the site to allow cross-domain access to the 3 modules/resources listed in it. From a functionality standpoint, if I remove this file I'm assuming it will break some functionality within the CMSDesk and Site Manager, so I won't be doing that. If I restrict cross-domain access, will applying that change cause a loss in functionality as well?

Correct Answer

Martin Danko answered on March 27, 2014 10:19

Hi Brenden,

I've discussed this with our security team and it seems that the mentioned XML file is still located in the application folder because of historical reasons but it's also required in some specific scenarios, e.g. when you are running a web farm where is the cross-domain communication used. I've deleted this file from my instance and everything seems to be working fine, it's related to the multifile uploader but also after the file deletion, uploader works without any problem, so create a backup of this file and feel free to delete it.

Regards, Martin

2 votesVote for this answer Unmark Correct answer

Recent Answers

Eddy Semaan answered on July 31, 2018 19:18

I just found this article while searching because we have the same problem except that I don't see the clientaccesspolicy.xml anywhere. Kentico is running in an Azure Web app. I connected using FTP and looked. Is it possible that I need a file that contains certain settings to disable cross site instead of not having the file at all? I did file a support ticket as well.

Thanks, Eddy

0 votesVote for this answer Mark as a Correct answer

Brenden Kehren answered on July 31, 2018 21:12

This file was in the root of a v7 instance and after removing it, there were no issues. I'm not sure of your envirnoment Eddy but it's worth a test. I don't believe it's in the newer versions either.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.