Share via


EnableHtmlAccess (Silverlight Plug-in Object)

Microsoft Silverlight will reach end of support after October 2021. Learn more.

Gets or sets a value that indicates whether the hosted content in the Silverlight plug-in and in the associated run-time code has access to the browser Document Object Model (DOM).

Syntax

object Element

<object ...>
  <param name="enablehtmlaccess" value="bool"/>
  ...
</object>

Silverlight.js

Silverlight.CreateObject(,,,{enableHtmlAccess:'bool'});
-or-
Silverlight.CreateObjectEx({properties:{enableHtmlAccess:'bool'}});

JavaScript

bool = silverlightObject.settings.EnableHtmlAccess;

COM

Reported as a value of IXcpControlHost::GetHostOptions.

Managed Code

Property Value

true if the hosted content and associated code has access to the browser HTML DOM; otherwise, false. The default value is true for same-domain applications and false for cross-domain applications.

Remarks

This property can only be set during Silverlight plug-in initialization, and is read-only at run-time for all possible access models.

If EnableHtmlAccess is false and you are using the managed API, most of the APIs in the System.Windows.Browser namespace will raise an exception when they are called. For instance, when EnableHtmlAccess is set to false, getting the HtmlPage.BrowserInformation property value to determine browser host information (which ultimately comes from the HTML DOM) raises an InvalidOperationException exception. For more information, see HTML Bridge: Interaction Between HTML and Managed Code.

Caution noteCaution:

When a host page enables HTML access, it allows the Silverlight-based application complete access to its DOM, including the ability to modify content, insert and evaluate JavaScript code, and so on. This should be allowed only if the host page trusts the Silverlight-based application. HTML access is enabled by default for same-domain Silverlight-based applications because there is implicit trust between HTML and same-domain Silverlight content. However, access must be specifically enabled for cross-domain applications. For more information, see Security Settings in HTML Bridge.

In the JavaScript API, you always have access to the HTML DOM. If you use the JavaScript API exclusively, the value of this property is ignored.