Fiddler and Silverlight Cross-Domain Requests

I’ve recently heard from a number of Silverlight developers who report that certain cross-domain web service requests from their applications work properly with Fiddler running, but fail when Fiddler is not active. Using lower-level tools like NetMon or by watching server logs, the developers note that their applications aren’t even issuing requests for the cross-domain policy file unless Fiddler is running.

So, what’s going on?

The answer is that Silverlight is suppressing web service requests to the target URLs (when Fiddler isn’t running) because the target URL is in the Local Intranet security zone, while the Silverlight application is running from the Internet security zone. Silverlight forbids cross-domain requests from the Internet to the Local Intranet[1], and doesn’t bother looking for a cross-domain policy file.

So why don’t these cross-zone requests fail while Fiddler is running?

The answer goes back to a post I wrote over half a decade ago: The Local Intranet Zone and Proxies: the Surprising Connection. In these developers’ environments, the target web services are mapped to the Local Intranet Zone by a proxy configuration script specified in the WinINET settings.

So, for example, if the proxy configuration script specifies a proxy for, but returns “DIRECT” for, Silverlight will block a request from an application running at (Internet) because the target service URL is mapped to the Local Intranet Zone.

While Fiddler is running, it overrides the local proxy settings, removing the proxy configuration script from the IE settings and using the configuration script itself internally when determining the upstream gateway. However, because Fiddler is a directly-configured proxy, Internet Explorer has no proxy configuration script while Fiddler is attached. Because no hostnames are configured to bypass Fiddler, all dotted hostnames are treated as Internet Zone unless they are manually mapped to another zone using the Internet Control Panel.

To resolve this problem such that the application works without Fiddler running, you can untick the “Include all sites that bypass the proxy server” option inside Internet Explorer’s Tools > Internet Options > Security > Local Intranet > Sites dialog. Alternatively, you could use the Advanced button in that dialog to map the page hosting the Silverlight application itself into the Intranet Zone, ensuring that the application and its web service URL are running from the same zone.


[1] Blocking of Zone Elevation is a security mitigation adopted by a number of technologies including IE’s XDomainRequest object.

Comments (2)

  1. says:

    Hi Eric,

    I posted a comment but I'm not sure where did it go.

    I have a weird problem with Silverlight running OOB on a client network where the HTTP proxy is set through a big Proxy Configuration File.

    The solution might be related with the content on this post; however I have tried everything here w/o success.

    Would you mind taking a look at the post in Silverlight Forum? It would be really useful to have your feedback.…/556112.aspx



  2. @Raciel's problem turned out to be related to a failure to write the proxy configuration file to a temporary file. (Troubleshoot with ProcMon).

Skip to main content