How can I allow a Silverlight client application to access a text file on an Apache server, but not allow browser access?

I have a Silverlight 4 application that I am running embedded on a web page. I would like to allow the Silverlight client to download a settings file by doing something like:

Uri url = new Uri(@"config\settings.xml", UriKind.Relative);
WebClient client = new WebClient();
client.DownloadStringCompleted += new DownloadStringCompletedEventHandler(client_DownloadStringCompleted);
client.DownloadStringAsync(u开发者_如何学Crl);

But ideally, I want to return a 403 Forbidden error if the user tries to access the file directly in a browser by visiting http://www.mywebsite.com/config/settings.xml

Is this possible using .htaccess?

Accessing the file from Silverlight or from a web browser looks the same to a web server, so there's not much you can do to guarantee users won't gain access. The best you can do is obfuscate the steps it takes to get the file.

One thing you could do is to turn on HTTP Watch/Firebug/Wireshark and see if the Silverlight client sends any special HTTP headers identifying that it's Silverlight making the web requests. If you can identify something unique, you can configure your web server accordingly so that only requests with that header are allowed.

If there is no such header, another option is to use some sort of authentication. The credentials would be stored in the Silverlight client, so it wouldn't really be that secure, but again, you'd be obfuscating how to get the file.

You could also choose to compile the file into the client instead of accessing it over the web.

Edit:

It doesn't look look like Silverlight sends any identifying headers. You could always append headers to your requests "manually" through your code.

Silverlight will retrieve data via a http request, as it is run client side. There will always be a way to access that file, unless Silverlight can use a custom http agent (which I could not find any reference to), then you can not restrict access.