[Revised July 6th 2009 – Updated to reflect changes as of .Net 3.5 SP1]
Summary of the differences between XBAP and Standalone WPF applications.
Standalone WPF applications
A standalone WPF application is one that is compiled into an EXE and placed on the users computer via any of the standard installation techniques. If installed to the local hard drive it has the default security settings of Full Trust. Naturally this security setting can be modified by an administrator to a more restrictive set of permission.
XAML Browser Applications (XBAPs)
A XBAP application is a WPF application. It is not installed in the traditional sense however. Instead the user runs the application by going to a specific URL on the Web. If they navigate to a URL that ends with an xbap extension (http://www.somesite.com/fakeapp.xbap) using a supported browser (IE or Firefox) the application just runs. This is sometimes called Click-Zero deployment because the user is not prompted to ‘install’ the application.
As stated above XBAPs are not installed in the traditional sense. Instead they are stored in the browser cache. There is no way to run the cached XBAP application except by browsing to the URL once again. If the version on the server has not changed then the cached copy is run. If a newer version of the XBAP is found on the server then the cached copy is replaced with the new version before the application is started.
A key advantage of XBAPs is that they provide a prompt free installation. The downside of this approach is there is a huge security risk involved with allowing applications to install and run from the Web. Therefore all XBAPs are run in a restrictive security sandbox under partial trust. In other words, they are allowed to use certain .NET libraries but banned from accessing others.
Here is a comparison of the features.
|Installed||Installed on users computer.||Not installed on the client’s computer.|
|Start Menu||Appears in Start Menu.||Does not appear in the Start Menu.|
|Control Panel: Add/Remove Programs||Appears in the Add/Remove Programs.||Does not appear in the Add/Remove Programs.|
|Installment methods||Installed via XCopy, Windows Installer (MSI) or ClickOnce.||Are automatically deployed via ClickOnce.
YourApp.xbap is really a ClickOnce deployment manifest.
|Code Access Security||Runs in Full Trust unless modified by Administrator.||Runs in Internet Zone .|
|Sandbox restrictions||N/A if run as Full Trust.||See list below.|
|Process||Runs in its own standard OS window.||Runs in PresentationHost.exe
Presentation host is registered as the shell and MIME handler for *.xbap files.
|Automatic Updates||Standalone apps are not automatically updated. Developer must write auto updating framework or use the Microsoft ClickOnce system.||Newer version on server is always used.|
|Offline access||Application works if offline.||Cannot run XBAP application unless user can navigate to the XBAP URL.|
|Requirements||.NET 3.0 or later installed on user computer.||.NET 3.0 or later installed on user computer.
Internet Explorer(6.0 or later)
Firefox (2.0 or later).
XBAP application have some restrictions on what .NET features they can use. Since they run in partial trust they are restricted to the same set of permission granted to any InternetZone application. However 99% of standard WPF functionality is available to an XBAP application. Therefore most WPF UI features are available.
- UI Controls
- Text Input controls (including RichTextBox).
- Flow documents and associated readers.
- XPS documents
- 2D drawing
- Internal Drag and drop (mouse driven).
- Calls to WCF services.
- Calls to ASMX services.
- Stand-alone Windows.
- Most standard dialogs.
- Interop with Windows controls or ActiveX controls.
- Access to OS drag-drop.
- Bitmap Effects (these are deprecated in .NET 3.5 SP1).
- Shader Effects
More Security Details
XBAPs are place in the Code Access Security Internet Zone. Like any other application within the Internet Zone they are restricted to safe operations. Here is a list of permissions available for a XBAP application as shown in the Visual Studio Security tab (Figure 1).
Figure 1: Visual Studio 2008 security tab.
As you can see there are only seven allowed permissions. All the other permissions are denied.
Internet Zone Application