As with similar browser plug-ins, Silverlight applications are not allowed to communicate with 3rd-party domains by default. That is, an app loaded from http://fabrikam.com cannot make web requests to http://contoso.com. Contoso can declaratively enable this scenario by publishing a cross-domain policy file—generally either a CrossDomain.xml or ClientAccessPolicy.xml file served at the root of the domain.
Why is this necessary? Couldn’t the Fabrikam application just run a proxy on fabrikam.com that sends requests to contoso.com on behalf of the client?
There are a few specific reasons allowing cross-domain connections from the client is bad:
There may be more reasons, but these are very good ones themselves.