If you are starting to get into integrating web services with Silverlight, you'll notice that you have to have a cross domain policy file in place on the target server, that is to say, the server hosting the service you want to implement.  There are some public web services (Flickr, YouTube, Digg, etc.) that already have these files in place for Flash, but implement in a slightly different way.

When calling a cross-domain service, Silverlight will check for the existence of clientaccesspolicy.xml first.  This is the format defined by Silverlight and provides a pretty flexible way to define who can access what services.  If not found, it will then default to look for crossdomain.xml, which is the file format implemented for Adobe Flash.  It is important to note that this file will also still work for most public web services.

But now perhaps you are the author of the service that your application is going to consume and/or the public will consume.  There are a few things you want to consider.  First, it would be a best practice to put your service layer on a separate domain other than your site (i.e., api.mysite.com).  In fact, this is how most are doing it these days.  These helps separate more distinctly the services from the web site and also separates the cross-domain security concerns away from the content site versus API access.  Once you have done that you'll want to implement your specific clientaccesspolicy.xml file.

When Silverlight 2 was released to beta, I created some quick helper files to assist me with creating this simple policy file (it is simple, but can get complex depending on how granular you want to define your access).  I figured it might be helpful to some who are implementing services as well.  Sure, they aren't going to save the world, but might save you some quick typing.

Visual Studio Code Snippet

The slcap.vsi file is a Visual Studio Community Installer package which contains "slcap.snippet," which is a Visual Studio code snippet format.  This is an XML snippet, so would be used only in the context of an XML file.  Just double-click on the .vsi file to install and it will walk you through the steps.  I recommend just keeping the defaults.  After it is complete, you now have an Intellisense snippet.  To use it and create a new clientaccesspolicy.xml add a new XML file to your web service site/project named clientaccesspolicy.xml.  It will open a blank XML file by default.  Select all text (CTRL+A).  Then hit the keyboard shortcut for launching XML snippets, CTRL+K,X.

NOTE: For some reason XML snippets don't operate like C#/VB ones do where you type the shortcut, then TAB, TAB.  If anyone knows why, let me know :-)

This will bring up the navigator, then simply navigate to the My XML Snippets, then locate the one you just installed:

Once you select it, there are three literal areas to override the defaults if you wanted. 

UPDATE: As Sean probably ran into below (in comments), the above screenshot does not show the required http-request-headers attribute required on the allow-from node of the policy file.  This is, however, updated in the Intellisense files and the code snippet template.  Thanks Sean for pointing out the screenshot is wrong here.

If you are implementing a completely public web service (open to anyone for cross-domain access), then the defaults will suffice.  When done changing the values, hit enter and you are done.  For those who are not keyboard shortcut masters and would be using a mouse to do all this, it might not be terribly faster to be honest (if the TAB,TAB implementation was there for XML snippets, it would eliminate the arrow up/down to navigate to the snippet).

Get the slcap.snippet here.

Visual Studio Intellisense Files

This next step is a super hack that I originally did and decided it might not be a good idea, but I'll include it here anyway :-).  This involves adding Intellisense files to your VS2008 installation and if you aren't comfortable with that, then move along.

First, you'll want to get the XSD I created, which is very simple and I'm sure doesn't fully conform to the final spec, but lacking that spec, it maps to the format well enough.  Copy the clientaccess.xsd file to the C:\Program Files\Microsoft Visual Studio 9.0\Xml\Schemas location (or wherever VS2008 is installed for you).  Once you've done that you have to add an entry into the catalog.xml file to add the mapping.  Again, not this is my little hack so I created some namespace because there wasn't one defined yet.

Once you have those two files you have Intellisense for your clientaccesspolicy.xml file if you want it.  Following similar steps as above, create the new file.  This time, however, type the root node of <access-policy> but adding the 'xmlns' attribute pointing to the new namespace you just added to the catalog file (note: Intellisense should give you a list to choose from:

Once you have that, then you'll get the rest of the Intellisense for the basic format of the client access policy format.  If you have multiple allow-from/grant-to needs, this Intellisense will support it.

The only lame thing is you have my namespace in there :-).  That is what drives the Intellisense.  Right now you'll want to remove that before deploying the actual file.  Yeah, I know.  But I said this was an early hack of mine didn't I?

Get the Intellisense files here.

What do to with the completed policy file?

Either way, when you are done with the file, it needs to go in the ROOT of the domain.  This is important as it is not the application root, but the root web.  Even if your app is at foo.com/myapp, the policy file needs to be at foo.com/clientaccesspolicy.xml.

Anyhow, maybe these files will help you.  Ideally you won't be using/messing with an access policy file much, but this might save you some clicks and having the docs open next to you :-).

I've been with Microsoft now for over 3 years and have loved every minute of my time here.  For the time leading up to being hired at Microsoft, it was a professional goal of mine to work for the company.  Fanboy?  Sure, call me whatever you want.  I prefer to just call it passion.  I joined as a developer evangelist for my community (an area we call desert mountain which spans Arizona, Nevada, New Mexico, Colorado, Utah, Wyoming, and Montana).  This was an easy thing to say yes to because everything I learned I learned from being a part of a community, whether that be online or offline.  I've met a lot of great people along the way and made new really good friends.  I hope that on some level I've been able to help the communities in my area progress a little better or learn something along the way.  I know that there are some that still need some more help and I know that over time we will get there.

As of April 1, I'll be starting a new role on the Silverlight team, focusing on you...the developer and designer.  'Evangelism' is a funny word when used in the context of Microsoft.  You would think (and in some cultures it doesn't translate well) that I'm a missionary of sorts.  Well, whatever you want to call it I like to think I'm not moving to far away on the evang-o-meter.  I'm just getting narrow focus and broader goals.  My focus will be on Silverlight.  My community: you.

I'm working in ScottGu's organization and will be joining forces with Jesse Liberty to help serve the developers of the world for Silverlight.  I'll be much more visible on the Silverlight community site (I started out spending a lot of time there but for workload reasons couldn't sustain).  I'll be helping out with the 'How Do I?' series of videos for Silverlight.  And, if I'm lucky, I'll be able to show up at events across the globe (I hear there's one in Belgium coming up...hmmm, I've never been to Belgium) talking about Silverlight and sharing my passion.

I'm real excited about this opportunity and working with all you talented developers and designers.  All my contact information stays the same and the virtual door is always open...keep the feedback and suggestions coming!

(And no, this isn't an April fools joke...unless my new manager Simon is an evil, evil person.)

My children are not yet the age where they are asking me for a cell phone or begging for text messaging plan or anything, but I see my friends' children going through this now.  It's weird that this new generation will expect just to have a cell phone, like we did with other items (maybe the most high tech was a calculator).  What concerns me, though, is the abuse of the cell phone and it serving as a disruption during school or other times when it shouldn't be used.

The request is usually made as a "well mom, what if it is an emergency?" type attempt to obfuscate the real reason of "how am i supposed to tell julie about how mark almost kissed me?"  Just the other day I went to visit a friend and his 13 year old came out of the house, immediately flipped her Sidekick open and started texting away.  It was a weird thing to see.  My oldest is about 7 years away from that same spot (if not sooner).  This got me thinking of how cell phone companies have an opportunity here to serve the younger youth market (<18) and that of the parent population at the same time.

You see, some have tried to create family type plans and kid-friendly devices, but I think some are missing the boat here.  The best I've seen was something from Verizon which limited calling capabilities to a mom/dad/home selection type thing.  What I think might be desirable (caveat this is coming from a geek) is a full-featured phone, with the service that is controllable.  For example, I might want:

• to define the hours of operation for the calling service
• to define the hours of operation for texting
• some type of logging on text messaging
• ability to specify acceptable calls
• ability to specify 'zone' calling (i.e., states allowed to call)

I think for me, as a parent, having this control would make me feel more comfortable about seeing a cell phone on a school ground.  If I could say the phone can't be used from 9:00 AM - 12PM and then again from 1:00 PM - 3:00PM, then it helps alleviate the abuse of the phone and the use as a disruption in unwanted situations.

But what about those emergencies?

Sure, legitimate concern.  Something is happening on school grounds or a dangerous situation.  I think maybe an effective use of a dual-PIN system is in place here.  First, for incoming calls.  If someone called the device during non-operative hours (same for texting), then the caller would have to know an "accept" PIN.  So if mom needs to get in touch with Julie, she calls, is prompted for a PIN and the call goes through.  Of course, this concept relies on mom not telling Julie what the PIN is and then all her friends know (but again, that is where tracking can come in).

For outbound operation that might get trickier.  If using a simple PIN that doesn't serve any purpose.  Julie will still call/text Susie about Mark...and just enters the pin (reporting here would show PIN abuse).  But what about some type of user-defined threshold?  Mom says the account can only use the PIN unblock for outbound calls a maximum of 2 times during non-operative blocks.  Maybe that would work.

Anyhow, just something I was noodling on late night.  I'd love to see this.  I think it would make for a great product that is flexible and give some ease and control back to parents.  A really nice online application to give the parent control to change these at any time and the effects are immediate is necessary as well.  I can see a situation where the non-operative time needs to be immediately removed.  One click, boom, phone is operational again.

Am I crazy big brother parent thinking here? 

Ever since I released my version of the Foxit PDF Preview Handler, I've been flooded with comments about building a version that works for Windows XP.  You see XP doesn't have the preview host that Vista has built into the operating system.

Well, I finally had some time to hunt down some code and get it working, thanks to the help of Ryan Gregg from the Outlook team.  I released the sample code I used as a base for this as a part of our Code Trip project.  You can view my short screencast explaining one of the core pieces here using the Code Trip's embedded Silverlight player:

You can download the Foxit PDF Preview Handler for XP here.  If you have Windows Vista, I recommend you stick with the existing one for Vista as it leverages the existing preview host that is built into Vista.

Hope this helps!

If you are doing Silverlight development, you are no doubt slapping in the <object> tag or using the <asp:silverlight> control (if in ASP.NET) to host your Silverlight content/application.  This is all great, but don't forget about deployment!

When I talk about Silverlight I like to relay a story I heard from one of the Silverlight program managers (PM) a while back.  The PM was pretty excited about a feature just completed in Silverlight and one of the samples that had been created.  He went home to show his wife and told her to 'go to 'dub-dub-dub-dot-something-dot-com' (yelling from the other room of course) and to tell him what she thought.  After a long pause of a few minutes he shouted back 'what do you think?'  Her response: 'It's lame.'  He was no doubt offended until he walked up to her machine and on the screen saw this:

The Problem

You see, 'Get Silverlight' means nothing to your mother-in-law (or wife in this matter).  Technology means nothing to non-geek users.  Content is king.  And to your non-savvy users (and even your savvy ones), leaving this default experience isn't a wise one.  It doesn't convey that there is anything of value by installing something they might not have.  It doesn't even convey what the action is going to be when they 'Get Microsoft Silverlight.'  Leaving this experience unchecked leaves your users in the dark as well as a reputation rank downward in my opinion.

NOTE: This site is likely riddled with these badges as seen above.  I'm claiming exempt status because they are samples :-).

While in Silverlight 1.0 creating a great install experience was possible, Silverlight 2 makes that process so much easier.  In Silverlight 1.0, the use of the silverlight.js file could aid in detection and direction to an alternate experience.  This method is still possible in Silverlight 2, and in fact might be a best practice still.  Most interactive developers using Flash use some method of script creation in instantiating the Flash host.  This is mostly due to the IE EOLAS "click to activate" issue that has been resolved and will remedy in an upcoming IE update.

Some Solutions

So that brings a few methods for instantiating the Silverlight control host.  You can still use a script method to do the check for you and provide alternate content or redirect to something.  You can also still simply include the <object> tag itself.  My favorite is using the simple <object> tag and tricking the HTML.  You see an object tag might look like this:

<object type="application/x-silverlight-2-b1">
    <param name="source" value="ClientBin/CallingServices.xap"/>
    <param name="onerror" value="onSilverlightError" />
    <param name="background" value="white" />
    <div id="no-sl" class="install-badge">Some descriptive information</div>
</object>

Notice the random HTML after all the params?  Browsers will read the HTML like a book (US-English) from top to bottom.  They get to the object tag and can't understand it, so will look at the next part of the DOM.  Param tags...nope don't get it.  Next part.  Oh, a <div> element...yep I understand...begin render.

Within here you can put an image or some element with a CSS class that is absolutely positioned, etc.  Bottom line is you own that experience.  It is now on you, the developer, to ensure that your users aren't just seeing 'Get Silverlight' but are being provided at least some explanation of what they are about to see, why they should install this plugin, etc.

Some Examples

Perhaps you need some inspiration?  Here's some examples from some recent sites...

Silverlight.net Gallery

Zombomatic Game on Miniclip.com

WWE Insider Video

Hard Rock Memorabilia Site

65th Annual Golden Globes

Major League Baseball Video

As you can see, the options are endless from very simple, to heavily branded. 

Testing your deployment experience

So now that you've decided you are going to optimized that "no Silverlight" experience, how do you go about testing it?  Well, here's a simple trick that I employ to do this.  There is no need to uninstall/re-install the runtime on your machine.  In fact, this will likely give you headaches in doing so and waste endless minutes :-).  Here's a simpler way.

In Internet Explorer you have the ability to manage your add-on experience.  To test your "no Silverlight" experience, simply do the following.

To make it easier go to a page with Silverlight content.  You can do this without this step, but it will cost you 2 extra clicks and I'm trying to save you time.

Next, go to Tools...Manage Add-ons...Enable or Disable Add-ons:

Now, find Microsoft Silverlight in the Enabled section and change the radio button to 'Disable' and click OK. 

You will be prompted with a message which you can just click OK through.  The page will be refreshed and the Silverlight plug-in no longer enabled.  Now any site you visit will give you the "no Silverlight" experience for you to test your deployment experience.  When you want to re-enable, simply repeat the process and choose 'Enable' and you are back in business.  No messy control panel uninstall/re-install mess.

I'm not a Firefox power user and couldn't find an easy way to do this rapidly without installing another plugin, so if anyone knows the similar method in Firefox, please enlighten me (or Safari for that matter).  I tried searching and found solutions of moving the plugin out of the /plugins folder in Firefox so I'd imagine you could batch script this out.  I really like the ease that Internet Explorer provides in managing my own preferences for each add-in running.  Looks like this gets even better in IE8.  I'm actually surprised it isn't a part of Firefox.

Summary

The bottom line is: don't ignore this experience.  This is your chance to explain that the user is about to see premium content, a better user experience, a fun game, whatever it is you are trying to convey.  I hope this has helped at least some be enlightened on ensuring you make that a work item in your task list and the tip of disabling the add-in is helpful to some.