XAML Browser Applications
XAML Browser Applications (XBAP, pronounced "ex-bap") are Windows Presentation Foundation (.xbap) applications that are hosted and run inside a web browser such as Firefox or Internet Explorer. Hosted applications run in a partial trust sandbox environment and are not given full access to the computer's resources like opening a new network connection or saving a file to the computer disk and not all WPF functionality is available. The hosted environment is intended to protect the computer from malicious applications; however it can also run in full trust mode by the client changing the permission. Starting an XBAP from an HTML page is seamless (with no security or installation prompt). Although one perceives the application running in the browser, it actually runs in an out-of-process executable (PresentationHost.exe) managed by a virtual machine. In the initial release of .NET Framework 3.0, XBAPs only ran in Internet Explorer. With the release of .NET Framework 3.5 SP1, which includes an XBAP extension, they also run in Mozilla Firefox.[1]
Filename extension |
.xbap |
---|---|
Internet media type |
application/x-ms-xbap |
Type of format | Package management system, file archive |
Container for | Software package |
Extended from | ZIP |
XBAP limitations
XBAP applications have certain restrictions on what .NET features they can use. Since they run in partial trust, they are restricted to the same set of permission granted to any InternetZone application. Nearly all standard WPF functionality, however, around 99%, is available to an XBAP application. Therefore, most of the WPF UI features are available.[2]
Starting in February 2009, XBAP applications no longer function when run from the Internet.[3] Attempting to run the XBAP will cause the browser to present a generic error message.[4] An option exists in Internet Explorer 9 that can be used to allow the applications to run,[5] but this must be done with care as it increases the potential attack surface - and there have been security vulnerabilities in XBAP.[6]
Permitted
- 2D drawing
- 3D
- Animation
- Audio
Not permitted
- Access to OS drag-and-drop
- Bitmap effects (these are deprecated in .NET 3.5 SP1)
- Direct database communication (unless the application is fully trusted)
- Interoperability with Windows controls or ActiveX controls
- Most standard dialogs
- Shader effects
- Stand-alone Windows
See also
References
- "What is XBAP?". XBap.org. p. Home page. Retrieved 2011-02-16.
XBAP (XAML Browser Application) is a new Windows technology used for creating Rich Internet Applications with a file extension .xbap to be run inside the Internet Explorer. They are run within a security sandbox to prevent untrusted applications from controlling local system resources.
-
"WPF Partial Trust Security". MSDN. Retrieved 2011-02-16.
For XBAP applications, code that exceeds the default permission set will have different behavior depending on the security zone. In some cases, the user will receive a warning when they attempt to install it. The user can choose to continue or cancel the installation. The following table describes the behavior of the application for each security zone and what you have to do for the application to receive full trust.
- "IE9 RC Minor Changes List".
- "IE9 – XBAPs Disabled in the Internet Zone".
- "XBAP - This application type has been disabled". Stack Overflow.
- BetaFred. "Microsoft Security Bulletin MS13-004 - Important". technet.microsoft.com.