How do I restrict domains for Silverlight NetTcp connections?

Question

I'm hosting a clientaccesspolicy.xml for a locally hosted Silverlight component that communicates using TCP connections. It works but I'm trying to tighten the permitted domains and I can't find documentation to indicate how to specify these restrictions for TCP connections.

Is this possible, and if it is how should I be specifying these restrictions?

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
    <cross-domain-access>
        <policy>
            <allow-from http-request-headers="*">
                <domain uri="*"/>
            </allow-from>
            <grant-to>
                <socket-resource port="4502-4534" protocol="tcp" />
            </grant-to>
        </policy>
    </cross-domain-access>
</access-policy>

Answer 1

Basics of the Security Policy System

One additional restriction on using the sockets classes is that the destination port range that a network application is allowed to connect to must be within the range of 4502-4534. These are the only destination ports allowed by a connection from a Silverlight application using sockets. If the target port is not within this port range, the attempt to connect will fail. It is possible for a target server to receive connections on a port from this restricted range and redirect it to a different port (a well-known port, for example) if this is needed to support a specific existing application protocol.

I would think that narrowing the range of ports would would limit the available tcp sockets. They show an Example Policy File for Sockets here

<?xml version="1.0" encoding ="utf-8"?>
<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from>
        <domain uri="file:///" />
      </allow-from>
      <grant-to>
        <socket-resource port="4502-4506" protocol="tcp" />
      </grant-to>
    </policy>
  </cross-domain-access>
</access-policy>

Citing the following documentation from MS

To use a clientaccesspolicy.xml file to allow cross-domain access

To enable the service for access over TCP sockets, add <socket-resource port="4502" protocol="tcp" /> to the <grant-to> element, where the 4502 is the port value where the service is hosted.

Domain example

This policy file accepts connections only from the domains and scheme specified. This policy file specifies specific request headers and specifies resources that can be accessed.

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from http-request-headers="MyHeader, X-API-*">      
        <domain uri="http://electronics.fabrikam.com"/>
        <domain uri="http://books.fabrikam.com"/>
        <domain uri="http://contoso.com:8080"/>
      </allow-from>      
      <grant-to>      
        <socket-resource port="4502-4506" protocol="tcp" />
      </grant-to>      
    </policy>
  </cross-domain-access>
</access-policy>

For the above policy, the Silverlight HTTP applications listed below are allowed to have access to the listed ports:

http://electronics.fabrikam.com/sample/app.xap
http://books.fabrikam.com/web/sample/app.html
http://contoso.com:8080/sample/app.xap

For the above policy, the Silverlight applications listed below are not allowed to have access to the listed ports:

http://electronics.fabrikam.com:8080/sample/app.xap
http://electronics.fabrikam.com:8080/sample/app.xap
http://bar.com/sample/app.xaml
https://bar.com/sample/app.html

The following HTTP request headers can be sent (in addition to the Content-Type header that is always allowed):

MyHeader
all headers starting with X-API-

Resource Network Security Access Restrictions in Silverlight