Moving Beyond the Browser – Elevated Trust Applications

Silverlight introduces out of browser application with elevated trust. These applications require user consent at install time and run outside the browser with elevated trust. To enable a trusted application, the developer must first check the “Require elevated trust when running outside the browser” permissions checkbox in the Out-of-Browser settings for the Silverlight project as shown at the bottom of the image below.

Figure 31

Out of Browser Settings

Setting this checkbox allows the Silverlight application, when installing Out-of-Browser, to prompt the user to request permission to operate as a Trusted Application. You can check if the application is running with elevated permissions using the following code.


if (App.Current.HasElevatedPermissions}

Native Integration

One feature of a Trusted Application is the ability to use native integration to perform automation operations such as COM Interop with Windows. This feature also has support for IEnumVARIANT; so you can foreach over a collection returned by the Automation server.

You can check if the application is running Out-of-Browser by checking the AppCurrent.IsRunningOutOfBrowser property. You should also check the AutomationFactory.IsAvailable property before using automation.

When checking the AutomationFactory.IsAvailable property, it will also make an internal call to AutomationFactory.IsRunningOutOfBrowser. So there is no need to explicitly call both.

If both return true and Microsoft Office is installed, you can create an instance of an object such as Microsoft Word using the AutomationFactory.CreateObject method. Thanks to the new dynamic keyword in .NET 4 that allows you to create an object which is unknown at compile time, you can create an instance of Word and manipulate it. The code below shows how to do this.


if (AutomationFactory.IsAvailable) { dynamic word = AutomationFactory.CreateObject("Word.Application"); word.Documents.Add(); word.Selection.Paste(); word.Quit(); }

File System Access

Another feature of a Trusted Application allows access to the file system; specifically the Documents, Videos, Pictures, and Music folders under the user’s profile. You can specify which folder you want to open by passing one of the Environment.SpecialFolder enumerator values to the Environment.GetFolderPath method. This method returns the path of the folder which can then be used to perform file operations, as shown in the code below:


var sampleFile = @"\sample.txt"; var path = Environment.GetFolderPath(Environment.SpecialFolder.MyPictures)); if (System.IO.File.Exists(path + sampleFile)) { System.IO.File.Delete(path + sampleFile); } StreamWriter sw = File.CreateText(path + sampleFile); sw.WriteLine("<root>some data</root>"); sw.Close();

Cross-Domain Networking Access

An Out-of-Browser Trusted Application can perform cross-domain network calls. This allows the Silverlight client to make calls to a domain other than that in which the Silverlight application is hosted. has a policy file in place that prohibits cross-domain access. Cross-domain calls must be made using the client networking stack, which can be done using the following code.


var uriString = string.Format(@"{0}.xml?count=50", username); WebClient request = new WebClient(); WebRequest.RegisterPrefix("https://", WebRequestCreator.ClientHttp); request.DownloadStringCompleted += new DownloadStringCompletedEventHandler(client_DownloadStringCompleted); request.DownloadStringAsync(new Uri(uriString));

Full File Path on Open and Save Dialogs

Silverlight Trusted Applications also allows full access to the file path of the local computer. The OpenFileDialog and SaveFileDialog objects both can allow access to the full file path so you can open, read, and save files as shown in the sample code below.


OpenFileDialog dlg = new OpenFileDialog(); dlg.ShowDialog(); var file = dlg.File; if (file != null) { MessageBox.Show(file.DirectoryName); FileStream fs = file.OpenRead(); //... }
You can access the full path as long as you have access to the location. So if you use the open dialog and pick an image file from c:\Foo\ you will not get the full path. But if you picked it from the Pictures folder, you would.

Sockets Security

The sockets security restrictions do not apply when running a Silverlight 4 Trusted Application.

XAP Signing

Elevated trust out-of-browser applications enable developers to take advantage of platform features that are inaccessible to sandboxed Silverlight applications. You can digitally sign your XAP files to reassure end users of the authenticity of an application’s publisher and that the code’s integrity is intact. This feature only applies to trusted apps; sandboxed XAPs may be signed but doing so will have no effect on it.

When a user attempts to install an elevated trust out of browser application, the user will be presented with a dialog as shown below.

Figure 32

Unverified Publisher Install Dialog on Windows

Figure 33

Unverified Publisher Install Dialog on Macintosh

A signed XAP would prompt the user with a dialog similar to the following:

Figure 34

Verified Publisher Install Dialog on Windows

Figure 35

Verified Publisher Install Dialog on Macintosh

XAP signing also affects an elevated trust application’s ability to update itself. For an update to be allowed, the installed XAP and the update candidate (the new XAP) must be signed with matching certificates that have not expired.

A XAP can be signed post-build using the SignTool.exe command line tool which is in the Windows SDK, as part of Visual Studio 2010 and a handful of other packages. XAPs must be signed using code signing certificates.

You can obtain a digitally signed certificate from various publishers. Prices range and most tend to be valid for 1 year before expiring.

To sign a XAP using a test certificate for development purposes, open a Visual Studio Command Prompt and type the following to create a root certificate:

Command Line

makecert -n "CN=My Root Certificate Authority" -r -a sha1 -sv c:\Demo\TestOOBRootCA.pvk c:\Demo\TestOOBRootCA.cer -sr LocalMachine -sky signature

When prompted for a password enter a password and write it down so you do not forget it. You'll be prompted to enter the password a few times. Enter the same password each time. Now type the following into the command window and press Enter to create a child certificate that can be used for code signing. It will be signed by the root certificate created earlier.

We strongly recommend using a password that uses some combination of letters, numbers and special characters.

Command Line

makecert -sv c:\Demo\TestOOBCodeSigningCA.pvk -iv c:\Demo\TestOOBRootCA.pvk -n "CN=Test OOB Crew Code Signing CA" -ic c:\Demo\TestOOBRootCA.cer c:\Demo\TestOOBCodeSigningCA.cer

Enter the password when prompted. Generate a PFX file (contains the password and the private key in one file for convenience). Note that the same password entered earlier is used.

Enter the following into the command window and press Enter:

Command Line

pvk2pfx -pvk c:\Demo\TestOOBCodeSigningCA.pvk -spc c:\Demo\TestOOBCodeSigningCA.cer -pfx c:\Demo\TestOOBCodeSigningCA.pfx -po password

Enter the password when prompted. Now that you have a certificate you are ready to sign the XAP. If you purchased a digital certificate you would skip right to the next step where you sign the XAP. Type the following command to sign the XAP:

Command Line

signtool sign /v /f c:\Demo\TestOOBCodeSigningCA.pfx /p password c:\Demo\SilverlightApplication2\SilverlightApplication2.Web\ClientBin\SilverlightApplication2.xap

If the XAP was successfully signed you'll see verbiage similar to the following in the command window.

Figure 36

Signing a XAP using signtool.exe

Every time an out of browser Silverlight project with elevated trust is built with Visual Studio 2010, a new XAP is created. This new XAP must be signed once again. For development purposes you can add a post build event and perform the signtool sign command to sign the XAP after each build.

Silent Install with SLLauncher.exe

You can perform a silent installation using sllauncher.exe with Silverlight 4. Silent installs are useful for installing a Silverlight application directly on a machine using a command line, .bat file or from a DVD. The sllauncher.exe can be run using the /install switch to point to the location of the XAP file to install. Also, set the /origin switch to the URL where the XAP file is hosted. The /origin switch indicates where the XAP file will get any future updates from. The following example

Command Line

"C:\Program Files\Microsoft Silverlight\sllauncher.exe" /install:"C:\Demo\OOBDemo.Web\ClientBin\OOBDemo.xap" /origin:"https://localhost:49786/ClientBin/OOBDemo.xap" /shortcut:desktop+startmenu /overwrite

Custom Window Chrome

When running a trusted out of browser application the window chrome can be customized. You can change the window chrome by opening the out of browser settings in Visual Studio and selecting the Window Style to be one of the options as shown in the figure below.

Figure 37

Customizing the Window Chrome

Full Keyboard in Full Screen Mode

A Silverlight Trusted Application enables all keyboard input when in full screen mode. The Content.IsFullScreen property determines whether the Silverlight plug-in displays as a full-screen plug-in or as an embedded plug-in. If you set the IsFullScreen property to true, the Silverlight plug-in displays in full-screen mode.


var isFull = this.Host.Content.IsFullScreen

When the screen is put into or taken out of full screen mode, the FullScreenChanged event fires. When a Silverlight plug-in displays in full-screen mode, it briefly displays the message "Press ESC to exit full-screen mode". This message alerts the user that the application is now in full-screen mode, and provides information about how to return to embedded mode.

Figure 38

Full Screen Mode Message

The Silverlight plug-in does not support OpenFileDialog and SaveFileDialog in full-screen mode, so you should exit full-screen mode before using these classes. Full-screen mode does not support multi-touch input either.