XAML Browser Applications
Filename extension |
.xbap |
---|---|
Internet media type |
application/x-ms-xbap |
Type of format | Package management system, file archive |
Container for | Software package |
Extended from | ZIP |
XAML Browser Applications (XBAP, pronounced "ex-bap") are Windows Presentation Foundation (.xbap) applications that were intended to run inside a web browser such as Firefox or Internet Explorer through the NPAPI interface. Due to NPAPI being phased out in recent years, and from lack of support, there are currently no browsers that support XBAP applications.[1]
Hosted applications run in a partial trust sandbox environment and are not given full access to the computer's resources like opening a new network connection or saving a file to the computer disk and not all WPF functionality is available. The hosted environment is intended to protect the computer from malicious applications; however it can also run in full trust mode by the client changing the permission. Starting an XBAP from an HTML page was seamless (with no security or installation prompt). Although one perceived the application running in the browser, it actually ran in an out-of-process executable (PresentationHost.exe) managed by a virtual machine.
XBAP limitations
XBAP applications have certain restrictions on what .NET features they can use. Since they run in partial trust, they are restricted to the same set of permission granted to any InternetZone application. Nearly all standard WPF functionality, however, around 99%, is available to an XBAP application. Therefore, most of the WPF UI features are available.[2]
Starting in February 2009, XBAP applications no longer function when run from the Internet.[3] Attempting to run the XBAP will cause the browser to present a generic error message.[4] An option exists in Internet Explorer 9 that can be used to allow the applications to run,[5] but this must be done with care as it increases the potential attack surface - and there have been security vulnerabilities in XBAP.[6]
Permitted
- 2D drawing
- 3D
- Animation
- Audio
Not permitted
- Access to OS drag-and-drop
- Bitmap effects (these are deprecated in .NET 3.5 SP1)
- Direct database communication (unless the application is fully trusted)
- Interoperability with Windows controls or ActiveX controls
- Most standard dialogs
- Shader effects
- Stand-alone Windows
See also
- ClickOnce
- Extensible Application Markup Language (XAML)
- Google Native Client (NaCl)
- HTML Application (HTA)
- Microsoft Silverlight
- WebAssembly
- Windows UI Library (WinUI or WinRT XAML)
- XAP (file format)
- Java Web Start
References
- ^ adegeo. "FAQ about XBAP supportability". learn.microsoft.com. Retrieved May 15, 2024.
- ^
"WPF Partial Trust Security". MSDN. Retrieved February 16, 2011.
For XBAP applications, code that exceeds the default permission set will have different behavior depending on the security zone. In some cases, the user will receive a warning when they attempt to install it. The user can choose to continue or cancel the installation. The following table describes the behavior of the application for each security zone and what you have to do for the application to receive full trust.
- ^ "IE9 RC Minor Changes List". February 11, 2011.
- ^ "IE9 – XBAPs Disabled in the Internet Zone". March 9, 2011.
- ^ "XBAP - This application type has been disabled". Stack Overflow.
- ^ BetaFred (March 2023). "Microsoft Security Bulletin MS13-004 - Important". technet.microsoft.com.