if you worked with Silverlight and WCF, you no doubt are familiar with ClientAccessPlicy.xml. Recently I found a use case that is not documented in the link above and had me stumped actually. Our application was hosted on a subdomain, something like my.mysite.com. I added client access policy file to the root of the domain, mysite.com, but was still getting security exceptions. The security white paper (see link above) mentions sub-domains but only from perspective of the hosted file. Once I put clientaccesspolicy file at the root of the subdomain, my errors went away. Not something I expected to find.