Share via


How to: Enable Trusted Applications to Run Inside the Browser

Microsoft Silverlight will reach end of support after October 2021. Learn more.

Starting in Silverlight 5, system administrators can enable trusted applications to run inside the browser in order to simplify enterprise deployments and updates. This topic describes the benefits and security requirements of in-browser trusted applications.

Normally, trusted applications must run as out-of-browser applications, which require explicit installation by users or by enterprise deployment processes. Additionally, out-of-browser applications will typically require code that enables users to check for and install application updates. After you enable your trusted applications to run inside the browser, however, they no longer require any installation or update code. Instead, you can simply deploy new versions directly to your internal web server so that your users get the new versions automatically when they visit the application's web page.

In-browser trusted applications have most of the capabilities of out-of-browser trusted applications, including the ability to use the WebBrowser control. The features that are unavailable are the ones designed specifically for out-of-browser use. In particular, in-browser trusted applications cannot use the Window class. In-browser applications are also subject to restrictions imposed by browser security settings, such as Internet Explorer Protected Mode.

In-browser trusted applications typically have no need for many of the features described in Out-of-Browser Support, such as network connectivity detection and offline support. Of course, you can enable your trusted applications to run both inside and outside the browser. If you choose not to implement out-of-browser support, however, you can hide the default install option by setting OutOfBrowserSettings.ShowInstallMenuItem to false in the out-of-browser configuration.

NoteNote:

You must configure in-browser trusted applications as out-of-browser trusted applications, even if they are not meant to run outside the browser. This is necessary because the Require elevated trust and Show install menu settings are part of the out-of-browser configuration. For more information, see How to: Configure an Application for Out-of-Browser Support.

Silverlight for Windows Phone Silverlight for Windows Phone and Silverlight 3 do not support trusted applications.

To enable in-browser trusted applications

  1. Configure the target computers to allow trusted applications inside the browser by setting the following registry key:

    • Key path for 32-bit computers: HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\

    • Key path for 64-bit computers: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Silverlight\

    • Value name: AllowElevatedTrustAppsInBrowser

    • Value type: DWORD

    • Valid Values:

      • Disabled - 0x00000000

      • Enabled - 0x00000001

  2. Ensure that you do not set conflicting registry keys. For more information, see the AllowInstallOfElevatedTrustApps and AllowLaunchOfElevatedTrustApps registry keys in Group Policy Settings. Specifically, you can disallow the installation of trusted applications without affecting their in-browser use. However, disallowing the launch of trusted applications will cause them to run in partial trust, even inside the browser.

  3. Sign the .xap files with a valid, code-signing certificate. For more information, see the "Application Signing" section of Trusted Applications.

  4. Install the certificate to the Trusted Publishers certificate store and (if necessary) the Trusted Root Certification Authorities store. For more information, see Deploying Certificates to the Trusted Publishers Store.

Compiling the Code

For testing purposes, none of the above requirements are needed when you use a test URI that contains a hostname of localhost or 127.0.0.1. This is the default behavior when your solution includes a Web project that is set as the startup project. If you set your Silverlight project as the startup project and use a generated test page, it is displayed using the file:// protocol, so you must fulfill the above requirements. This is useful to test whether the requirements have been met.

Robust Programming

Applications that have not been properly configured for in-browser elevated trust will still run as partial-trust applications. For this reason, you should always check the Application.HasElevatedPermissions property before running code that requires elevated trust.

Security

In-browser trusted applications have the same security considerations as out-of-browser trusted applications. For more information, see the "Security Considerations" section of Trusted Applications.