Very confusing Silverlight, Amazon S3, and clientaccesspolicy.xml problem

Question

This is an odd one.

I'm using Amazon S3 for storage of files in my Silverlight 4 application. Because of the file restrictions associated with the REST API and S3 (files have to be < 1mb for REST), I'm trying to get the SOAP calls to work.

I followed the tutorial written by Tim here http://timheuer.com/blog/archive/2008/07/05/access-amazon-s3-services-with-silverlight-2.aspx

minus the parts about CNAME's since he updated and said it was bad to do that for security, but kept having issues connecting till it just magically started working this morning and I was able to get a list of all my buckets! So I thought it was fixed, until a few minutes ago when I restarted Chrome and then tried the application again, and it no longer connected to the SOAP endpoint and VS gave me the cross-domain error.

However, I thought about all the stuff I had done earlier to get it working, and the only thing I could think of was that I had a tab open with the clientaccesspolicy.xml file open via bucket.s3.amazonaws.com/clientaccesspolicy.xml. So I tried opening it up again in a new tab, opened my application in another, and then the SOAP calls started working! It only works when the file is open in a tab!!! I've tried it in Firefox and IE as well, same thing!

I have Fiddler, and it doesn't seem to actually ever make a call to the clientaccesspolicy.xml, unless it's hidden inside one of the SSL calls which then there's no way to tell, but there's no straight out calls to .s3.amazonaws.com/clientaccesspolicy.xml going through Fiddler like some other questions on here said there would be.

Would really appreciate some help here guys, thanks.

Edit: Since someone will probably ask for it, this is the clientaccesspolicy.xml file I'm currently using. I know it's not the most secure, just trying to get this to work before I take the wildcards out

<access-policy>
    <cross-domain-access>
       <policy>
         <allow-from http-methods="*" http-request-headers="*">
            <domain uri="http://*"/>
            <domain uri="https://*"/>
         </allow-from>
         <grant-to>
            <resource path="/" include-subpaths="true"/>
         </grant-to>
        </policy>
    </cross-domain-access>
 </access-policy>

Edit 2: This appears to be an issue HTTPS. If I force my endpoint to be http, instead of the https required by Amazon, Fiddle does show SL accessing the clientaccesspolicy.xml file.

Answer 1

So I figured it out.

The first problem, about why it would work if I opened it, was not because of a cookie being set (per say), but that accessing it that way over https made me accept the SSL security policy for amazon.

The second problem, I shouldn't have had to accept it. The SSL wildcard amazon uses, *.s3.amazonaws.com, doesn't match buckets that contain periods in them. So as I was following Tim's tutorial I made all my buckets like this

bucketname.domain.com

and when I tried to access it that way through SOAP (and subsequently https), it wasn't working because the wildcard wasn't being matched. Changed all my buckets to contain no buckets, and it worked.

Should also note that Tim's tutorial no longer works as he's using http and in June of this year Amazon forced SOAP calls over https, so http calls no longer work.

Answer 2

When you open the clientaccesspolicy.xml file in another tab I'm guessing you are passing some credentials which allows you to access it. This sets a cookie which Silverlight can then use to access the clientaccesspolicy.xml file as well. When you close the browser you lose the cookie and thus the access to the file.