WebBrowser control security best practices for Windows Phone 8
August 19, 2014
Applies to: Windows Phone 8 and Windows Phone Silverlight 8.1 | Windows Phone OS 7.1
When you are developing an application that uses the WebBrowser control, consider the following best practices and information regarding security:
Content loaded from isolated storage or dynamically by using the NavigateToString(String) method is treated differently than content loaded from the network. Content loaded from isolated storage or dynamically by using NavigateToString has no cross-site restrictions, while content loaded from the network has normal cross-site restrictions. For this reason, you should be careful about loading untrusted content from isolated storage or dynamically by using NavigateToString.
For example, consider an application that contains a button that allows the user to cache the contents of a webpage that they have browsed to. On the back end, the contents of the webpage are saved into isolated storage by using the SaveToString() method. Now consider that the application allows the user to browse back to that content using the local file, from within the embedded WebBrowser control. The content would now be loaded without any cross-site restrictions.
Be aware of the sensitivity of data passed to the InvokeScript(String) method. For example, privacy or location data should not be exposed to untrusted scripting code.
The WebBrowser control should not be used to create a general-purpose browser application, because the API is not designed to support all of the needed security features for such an application.
The WebBrowser control does not provide the ability to view URLs or a secure lock icon.
Users cannot navigate from https pages to http pages in the WebBrowser control. This differs from the device browser, in which users can navigate from https pages to http pages.
An application cannot share cookies with Internet Explorer Mobile.
Script is disabled in the browser by default unless you set the IsScriptEnabled property to true in your application.