In the past few days I have been working on my Silverlight 3 skills, creating prove of concepts and playing with the new controls, techniques and of course, learning more about Expression Blend.
I have been putting together a Twitter Client built in Silverlight 3 app. I was using the System.Net.WebClient class to call the twitter search API method in an asynchronous fashion. It had worked perfectly until yesterday when I started to get a security exception that prevented the app from accessing the Twitter Search API.
I thought I was doing something wrong and I have been pulling my hair off trying to find a solution. I searched online for similar issues, all referring to cross domain issues. I thought that wasn't my case since the app behaved fine until yesterday. After talking about the issue with my colleague and friend Stephen Rettinger, he pointed out that actually, the problem was the cross domain policy file in the Twitter servers.
After taking a closer look he realized Twitter is blocking all external domains and pretty much only allowing access from their own domains. Steve found a couple of discussions about the topic (here and here) and confirmed that Twitter folks restricted in fact all external domains. Why? Supposedly they made the change because they want to enhance their security. The result? RIAs built in Flash/Flex/Silverlight are no longer able to access their API directly without using a proxy app.
They can have their reasons, but they made the change without telling anybody. Without notifying users or developers the result is that there are a lot of people complaining about it and they have a reason for it. In my opinion their change was crappy and the lack of notifications and acknowledgement on their site is far from desirable. If you put effort and time building applications against a service, is not right to change the rules without letting people know. I guess many people will stop working with their services.
I hope this helps people having the same issue to acknowledge the cause without losing time wondering what they are doing wrong, since it is because Twitter folks made the change on their cross domain policy.
I'm working on a solution for this, probably implementing a WCF middle tier to serve the SL app. More about it comming soon...