I've recently been working with long-lived tokens to authenticate against ArcGIS Server. This doesn't work with Firefox and Silverlight because long-lived tokens require a valid HTTP referrer to be sent from a client's web browser.
IE behaves fine and always sends a referrer, but Firefox doesn't send a referrer for GET requests made from Silverlight or Flash (it does send a referrer with GET requests from JavaScript, and with POST requests from all three web APIs).
I've noticed that the Flex API works around this problem by using POST instead of GET for all ArcGIS Server REST calls that include a token. I know this hack would elicit frowns from HTTP purists, and really this is a problem that Firefox should fix (since IE and other browsers support setting referrers on GET from embedded objects), but I was wondering if anyone in the Silverlight team (if you're reading this) has any thoughts on this issue.
In the meantime, we have to tell our customers that only the Flex and JS APIs support long-term tokens because losing support for Firefox isn't an acceptable option. 😞
Thanks Simon
P.S. Just to give some background, this GET referrer problem has been a known bug in Firefox since at least 2008, but the FF team either don't care or have deliberately opted to keep it as is
Yep, that's certainly an option, but it's nice to not need a proxy page (which itself needs to be secured properly).
If the Flex API hadn't implemented a workaround for this GET referrer bug, I would've just accepted that long-term tokens shouldn't be used, but since they now work in 2 out of the 3 web APIs, I was just curious whether the Silverlight devs had any plans to implement the same workaround.
