Silverlight 4 Security Overview White Paper

[Update: This paper has been updated and published as the Silverlight Security Overview. -Nick]

Wanted to let folks know about a white paper we're making available (attached below). We plan to incorporate this into the main Silverlight documentation by the time we ship the Silverlight 4, but in the meantime I didn't want to keep this content to all ourselves.  J We have a fair amount of documentation on Silverlight security already, but there's a couple holes that we hope to address with this paper. The more obvious is that it's, well, an overview -- sometimes you don't need all the gory details, you need a basic lay of the land so you can orient yourself and figure out what details are relevant to you. The second thing we're trying to address is to give an introduction to our security thinking, for example why it's safe for Silverlight to allow sandboxed apps to open files (OpenFileDialog & isolated storage). We don't get into every detail of every security decision we've made, but it will give you a lot of insight into how we choose what to enable in the sandbox.

As usual, we appreciate your feedback, both about Silverlight and about this paper, either via blog comments or by emailing me directly at Thanks.

Update 11/23 -- Thanks for your feedback, I made some edits based on your suggestions:

  • reorganized the networking section
  • added WebBrowser.NavigateToString() as a way to create XSS holes in Silverlight
  • improved wording -- "keep the user safe" -> "help keep the user safe", got rid of the "provably correct" line, etc.
  • provided pointer to more info on mark of the web
  • fixed a couple typos
  • used .doc instead of .docx

Thanks again, I'm looking forward to the next round of feedback!


Silverlight security overview.doc