Two main types of WPF content is sandboxed today:
- XAML Browser Applications (XBAPs). XBAPs are online-only ClickOnce applications that are cached & run in the browser.
- Loose XAML. Loose XAML are XAML-only files that can be navigated to in the browser.
I’ve gotten questions about the specific feature list for the WPF sandbox. Below is the high level list. Other great resources about the sandbox include:
- Windows Presentation Foundation Security Sandbox Whitepaper
- Windows SDK: WPF Partial Trust Security
- Security Notes on individual API reference pages
If you’re interested in why something was including/excluding from the sandbox, check the above whitepaper. If you can’t find an answer here, feel free to post a comment on this blog entry.
V1 Internet Sandbox Features
These features are available in the WPF Internet sandbox:
|
Category |
Features |
| General |
Browser Window |
|
Web Integration |
Browser Download Dialog |
|
Visuals |
2D/3D |
|
Reading |
FlowDocuments |
|
Editing |
Spell Check |
|
Controls |
All basic controls |
V1 Features Excluded from Internet Sandbox
The features are disabled in the WPF Internet sandbox. Some these features were excluded from the sandbox for inherent security reasons. Others were the result of V1 timeline/resource constraints.
|
Category |
Features |
| General |
Window class (includes app-defined dialogs) |
|
Web Integration |
Windows Communication Foundation (“Indigo”) |
|
General Integration |
HwndHost |
|
Visuals |
BitmapEffects |
|
Editing |
RTF Clipboard |
Vocabulary/Drill Downs
- Site of Origin or Same Site Access.
- Ability to talk to back to application deployment server.
- Example: http://foo.com has access content/web services at http://foo.com & http://foo.com/bar. It does NOT have access to https://foo.com (secure) or http://zoo.foo.com (subdomain).
- Simulated Drag/Drop
- OLE Drag/Drop is not enabled in V1.
- App developers can simulate INTRA-app drag/drop using MouseCapture & MouseMove.
- Browser Download Dialog
- Browser-specific download dialog shown when navigating to a file whose HTTP header has ‘Content-Disposition: Attachment’
- As SaveFileDialog is not available in V1 sandbox, Browser Download Dialog is possible workaround.
- IsolatedStorage
- Data storage mechanism that provides isolation & safety. (More details.)
- Place to store data between sessions.
- Partial XAML Clipboard Support
- Copy/paste of content between two Internet XBAPs will copy/paste XAML.
- Copy from a Internet XBAP in to a full trust WPF application will paste plain text.
- Copy from a full trust WPF application in to an Internet XBAP will paste XAML.
- Note: this constraint is to prevent escalation of privilege attacks using the clipboard.
- User Initiated Paste
- Programmatic paste is disallowed in the sandbox.
- Only Ctrl-P & Paste Menus (context menu, browser menu) will result in a paste.
- User Initiated Top Level Navigation
- A navigation is top level if it is to content external to the application.
- Example: <Hyperlink NavigateUri=”http://foo.com>Link</Hyperlink>
- A user initiated navigation is a navigation that results from a user click on a <Hyperlink> element.
- Media (Site of Origin & Cross Domain)
- Rendering & bits/pixel access to site of origin images/videos/audio.
- Rendering (but not bits/pixel access) to cross domain images, with below constraints.
Ahh yeah! 🙂
Hi, thanks for that. I was asking Rob Relyea for just such a list at TechEd Europe last week. I assume its just a typo, but you’ve got the Controls listed in both the supported and unsupported table. Slighly off topic but it might be usefull to someone, I also found out from Paul Andrew that the WF rules engine can’t run in partial trust and therefore an XBAP.
Hi Rob,
Yes, the controls in both places is a typo (and should most definitely only be in the supported table!).
You also are correct about WF – I’ll also add that to the table for clarity.
Thanks for the comments,
Karen
How does an XBAP handle Assembly.Load()?
We have an app with alot of plugins, all currently instantiated with Assembly.Load().
Also, does XBAP download the entire app at once or just as assemblies are referenced?
Thanks
JL
Great summary, Karen, as usual!
Can you confirm how the cross-domain media is supposed to work? Specifically, assume I have an xbap at http://www.foo.com/my.xbap.
It has an Image inside the Page, with Source=http://www.bar.com/other.jpg.
Should the Image render? What if it’s a MediaElement instead of an Image? From your chart above, it implies it ought to render, but I wanted to confirm.
Thanks, Rolf
Thanks Rolf. 🙂
And yes, you’re absolutely right.
http://www.foo.com/my.xbap can render
<Image Source="http://www.bar.com/other.jpg">. Ditto with MediaElement.Thanks,
Karen
Will communication through WCF (at least to WCF Web Services) from the sandbox be supported in future?
Yes, the WCF team is currently investigating supporting partial trust in future versions of the .NET Framework.
Under the general sections the following items are listed:
Available
XAML Serialization (via XamlWriter.Load)
Unavailable
XAML Deserialization (via XamlWriter.Save)
Are these terms used backwards? Shouldn’t Serialization be with XamlWriter.Save and Deserialization be with XamlWriter.Load?
Under Web Integration it shows that the Browser Download Dialog is enabled under the sandbox. What exactly do I run in the xbap to trigger than?
Rob Relyea posted a version of XamlWriter.Save to http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=718928&SiteID=1
Since it appears the functionality of XamlWriter.Save can be reproduced in a few hundred lines of code, is there really anything gained by having it disabled in the framework?
Brian
– You’re right. It’s a typo. Thanks for the catch!
Bryan
– The browser download dialogs is the dialog shown when a user navigates to a file whose content-diposition is set to attachment. (This is set in the HTTP header.) This is useful for scenarios where you’re trying to content from the server to the user’s machine.
– Excluding XamlWriter.Save from the sandbox came down to a V1 time constraint. If this is something you feel should be in the sandbox, please add it to the feature wiki (http://channel9.msdn.com/wiki/default.aspx/WPF.FeatureSuggestions) and explain your scenario. We appreciate the feedback!
Thanks both for the comments!
Thanks for the reply Karen, but what I needed to know is what to do inside the XBAP.
Turns out the only way to do this is to use a hyperlink object. See http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1212612&SiteID=1
Do you know of another way to “navigate” that will work?
Karen,
Myself and another fellow have been unable to load a custom mouse cursor in an xbap. (see: http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1536464&SiteID=1&mode=1)
Is this also a limitation of XBAPS? It doesn’t seem to be mentioned anywhere.
From http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2057106&SiteID=1&mode=1
Is Dispatcher.PushFrame not available in partial trust? If so it’s not documented anywhere. I’m getting pretty sick and tired of finding crap that I can’t do and nobody has bothered to make a note of. I’ve invested alot of time into supporting this new platform just to find out that it’s crippled in unexpected ways that are completely undocumented.
http://young-lolita.sweetylolita.com/free-lolita-thumbs.html free lolita thumbs
Hi keren Really your help about “Loose” “Xbat”
That work only when IE is closed.
I post my question here :
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2057135&SiteID=1
You really help me if you could show me how to solve this problem .
Thank alot.
Guy.
Hi,
I need to prevent copy/paste options in sandbox. Can you please suggest me how it can be done. Also please clarify whether sandbox is applicable only for web environment or it can also be used in the windows.
Thanks
I am using sandboxie for testing sandboxie environment. But currently its allowing to copy/paste contents. I need to copy/paste within sandboxie but out of that environment, it paste option should be denied. Any suggestions for implementing this will be helpful. Currently copying out of the environment & paste inside is prevented & I need the reverse case also.