Problem solve Get help with specific problems with your technologies, process and projects.

Trusted and sandboxed applications in Silverlight 4

Silverlight is a Web technology, or at least is deployed via a browser. To mitigate security concerns Silverlight is constrained to run in a sandbox. This sandbox restricts what the Silverlight application can do to the local computer.

Application developers are constantly pushing the boundaries between Web applications and client applications. We want our Web apps to work more like client apps and vice versa. But Web application developers must face the security implications inherent in the Web deployed model. The big question, how much trust should be granted to an Internet application?

Silverlight is a great case in point. Imagine that your Silverlight application requires access to the user's webcam or you wish to write files into the My Music folder. Silverlight is a Web technology, or at least is deployed via a browser. To mitigate security concerns Silverlight is constrained to run in a sandbox. This sandbox restricts what the Silverlight application can do to the local computer. This is sensible as administrators need assurance that Silverlight applications won't commandeer the system. But this also means that sandboxed applications are walled off from accessing local devices, like hard drives and webcams for example.

Types of Out Of Browser applications
Silverlight 3 blurred the line between online and offline applications by enabling the Out Of Browser (OOB) setting. In version 3 you can take your application out of browser which permits the user to enjoy your application while disconnected from the network. Version 4 ramps up the features available to OOB applications.

Living in the sandbox

HTML Hosting: It's now possible to include embedded HTML within your Silverlight application. Use the new WebBrowser control as follows:

 <WebBrowser x:Name="bannerAdControl" Width="300" Height="200" /> <!-- add html to webbrowser control --> bannerAdControl.NavigateToString("<h1>Download Silverlight now.</h1>");

Under the hood the WebBrowser control uses WebKit on the Mac and the IE browser control on Windows.

OOB Window settings: Silverlight 4 offers full control over window settings such as start position and size.

Popup Notifications: You're probably familiar with the animated 'toast' window that is used by Windows application to provide real-time notifications from email clients. Here's how to launch a notification from an OOB application.

 var nw = new NotificationWindow(); nw.Width = nw.Height = 300; var cn = new CustomNotificationWindow(); cn.Header ="New Mail"; cn.Text ="You have new mail!"; . . . nw.Contents = cn; nw.Show(3400);

Requesting elevated privileges
Silverlight 4 has a number of new features that need elevated privileges. For security reason this can only be granted if the user consents to an elevation request. To ask for permission to use the webcam, use the CaptureDeviceConfiguration.RequestDeviceAccess( ) method. Make this call and you will the following dialog.

Once the user has granted permission you can grab the video stream with a few lines of code.

 CaptureSource cs; var device = CaptureDeviceConfiguration.GetDefaultVideoCaptureDevice(); if (null != device) { cs = new CaptureSource(); cs.VideoCaptureDevice device vcd; cs.Start(); var brush = new VideoBrush(); brush.Stretch = Stretch.Uniform; brush.SetSource(cs); rect.Fill = videoBrush; }

Trusted applications
Additional features are available to OOB applications which are granted trust from the user. Simply set the "Require elevated trust…" checkbox in the Visual Studio 2010 properties settings. Yes, Silverlight has a group policy which administrators can use to manage which applications or domains are trusted.

The user will see the following dialog box when converting a Silverlight application to an OOP application.

Now that you have full trust, here is a partial list of the new Silverlight 4 privileges.

  • Full Screen Keyboard Access: To prevent spoofing attacks Silverlight 3 disables most keyboard events while in full screen mode. In Silverlight 4 this restriction has been lifted for trusted OOB applications.
  • File Access: Read and write to the more areas of the hard drive including My Music, My Document etc. on Windows OS and similar location on the Mac.
  • COM automation: Permits access to COM automation servers like Microsoft Excel, USB security card readers and other devices.
  • Network Cross Domain: Networking restrictions on HTTP access are dropped for trusted OOB applications. Grab resources from any domain without needing a cross-domain policy file in place.


Dig Deeper on Silverlight and Expression application development

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.