0

I have an AJAX-Enabled WCF service on website aaa.com and call this service clientside using code like this:

mySVC.MakeBooking(somedata, onSucccess, onFailed, null);

which works perfectly for me. My question is, can someone from malicious website bbb.com make this call to my server or is the service domain specific?

Lucas Zamboulis
  • 2,494
  • 5
  • 24
  • 27
Mike
  • 91
  • 1
  • 1
  • 9

1 Answers1

0

yes any one can call this service, becuase WCF supports certificates based security, else you can do implement some type of security by you self, like passing some userid or key to identify a valid calling. so that if others are calling same will not be returned any data.

Ajay Kumar
  • 2,031
  • 2
  • 13
  • 17
  • Ah ok. I do encrypt any ids etc but the yyy.com guy can simply pass that same key and they can get the data. For example, if I have a public service that allows anyone to find their closest mcdonalds for example, yyy.com guy can simply put something on his website that calls my same service but from his site, I can't stop anyone from using the same public key. How would I guard against that? – Mike Sep 10 '13 at 14:15
  • I have come across this on stackoverflow...[link](http://stackoverflow.com/questions/5686059/how-to-avoid-cross-domain-policy-in-jquery-ajax-for-consuming-wcf-service). Does this mean that cross domain calls cannot be done by default unless specifically set up in the web.config file? – Mike Sep 10 '13 at 15:12
  • yes, you cant, its like you can make some sort of credentials and you will provide specific credentials to specific user and they wll pass there credentials to the service with every call to get data – Ajay Kumar Sep 11 '13 at 08:04
  • Ok great. So my WCF service cannot be called from anywhere else other than my domain by default unless I provide a user with some credentials. I hope I got this right? Thanks for the your time. – Mike Sep 11 '13 at 08:15