Feed on

[Revised July 6th 2009 – Updated to reflect changes as of .Net 3.5 SP1]

Summary of the differences between XBAP and Standalone WPF applications.

Standalone WPF applications

A standalone WPF application is one that is compiled into an EXE and placed on the users computer via any of the standard installation techniques.  If installed to the local hard drive it has the default security settings of Full Trust.  Naturally this security setting can be modified by an administrator to a more restrictive set of permission.

XAML Browser Applications (XBAPs)

A XBAP application is a WPF application.  It is not installed in the traditional sense however. Instead the user runs the application by going to a specific URL on the Web.  If they navigate to a URL that ends with an xbap extension (http://www.somesite.com/fakeapp.xbap)  using a supported browser (IE or Firefox) the application just runs.  This is sometimes called Click-Zero deployment because the user is not prompted to ‘install’ the application.

As stated above XBAPs are not installed in the traditional sense.  Instead they are stored in the browser cache.  There is no way to run the cached XBAP application except by browsing to the URL once again.  If the version on the server has not changed then the cached copy is run.  If a newer version of the XBAP is found on the server then the cached copy is replaced with the new version before the application is started.

A key advantage of XBAPs is that they provide a prompt free installation.  The downside of this approach is there is a huge security risk involved with allowing applications to install and run from the Web.  Therefore all XBAPs are run in a restrictive security sandbox under partial trust.  In other words, they are allowed to use certain .NET libraries but banned from accessing others.

Here is a comparison of the features.

Feature Standalone XBAP
Installed Installed on users computer. Not installed on the client’s computer.
Start Menu Appears in Start Menu. Does not appear in the Start Menu.
Control Panel: Add/Remove Programs Appears in the Add/Remove Programs. Does not appear in the Add/Remove Programs.
Installment methods Installed via XCopy, Windows Installer (MSI) or ClickOnce. Are automatically deployed via ClickOnce.

YourApp.xbap is really a ClickOnce deployment manifest.

Code Access Security Runs in Full Trust unless modified by Administrator. Runs in Internet Zone .
Sandbox restrictions N/A if run as Full Trust. See list below.
Process Runs in its own standard OS window. Runs in PresentationHost.exe
Presentation host is registered as the shell and MIME handler for *.xbap files.
Automatic Updates Standalone apps are not automatically updated. Developer must write auto updating framework or use the Microsoft ClickOnce system. Newer version on server is always used.
Offline access Application works if offline. Cannot run XBAP application unless user can navigate to the XBAP URL.
Requirements .NET 3.0 or later installed on user computer. .NET 3.0 or later installed on user computer.
Internet Explorer(6.0 or later)
Firefox (2.0 or later).

XBAP Restrictions

XBAP application have some restrictions on what .NET features they can use.  Since they run in partial trust they are restricted to the same set of permission granted to any InternetZone application. However 99% of standard WPF functionality is available to an XBAP application. Therefore most WPF UI features are available.


  • UI Controls
  • Text Input controls (including RichTextBox).
  • Flow documents and associated readers.
  • XPS documents
  • 2D drawing
  • 3D
  • Animation
  • Audio
  • Video
  • Pages
  • MessageBoxes
  • OpenFileDialog
  • Internal Drag and drop (mouse driven).
  • Calls to WCF services.
  • Calls to ASMX services.

Not Permitted

  • Stand-alone Windows.
  • Most standard dialogs.
  • Interop with Windows controls or ActiveX controls.
  • Access to OS drag-drop.
  • Bitmap Effects (these are deprecated in .NET 3.5 SP1).
  • Shader Effects

More Security Details

XBAPs are place in the Code Access Security Internet Zone.  Like any other application within the Internet Zone they are restricted to safe operations.   Here is a list of permissions available for a XBAP application as shown in the Visual Studio Security tab (Figure 1).


Figure 1: Visual Studio 2008 security tab.

As you can see there are only seven allowed permissions.  All the other permissions are denied.

Internet Zone Application

File Dialog Permission: image
Isolated Storage Permission:
Write to Isolated storage. All other file access is denied.
Default size quota is 512K
Security Permission: image
UI Permission:
Permit a single browser window for this XBAP.  Do not allow launching of other windows.
Reading OS clipboard is restricted to contents placed in clipboard by your application.
Printer Permission: image
Media Permission: image
WebBrowser Permission:
Permits navigation to other webpages from XBAP.



RSS Like this article? Subscribe to the RSS feed.

32 Responses to “Comparing WPF applications and XBAP – What’s the difference?”

  1. [...] between WPF and XBAP Here is a very nice list with the main differences between WPF and XBAP. Share this post: email it! | bookmark it! | digg [...]

  2. If XBAP is deployed via ClickOnce this should mean the app is actually deployed on your machine, just not in the Program Files folder, but somewhere under Documents and Settings, but I forgot exactly where.

    This also shows in large XBAP demos where you don’t have to download the complete x-MB’s again.

  3. [...] WPF : No idea who wrote it, as I can’t find a name. But here’s a list of differences between XBAP and WPF. [...]

  4. Walt Ritscher says:


    The XBAP is really just a ClickOnce deployment manifest with a .xbap extension. It uses the ClickOnce ‘Start from Web’ model.

    From MSDN:
    This strategy is similar to the first, except the application behaves like a Web application. When the user clicks a link on a Web page (or double-clicks an icon on the file share), the application is started. When users close the application, it is no longer available on their local computer; nothing is added to the Start menu or the Add/Remove Programs group in the Control Panel.

    Technically, the application is downloaded and installed to an application cache on the local computer, just as a Web application is downloaded to the Web cache. As with the Web cache, the files are eventually scavenged from the application cache. The perception of the user, however, is that the application is being run from the Web or file share

    See http://msdn2.microsoft.com/en-gb/library/71baz9ah.aspx

  5. Test says:



  6. [...] (XBAP) are full featured WPF applications.  There are a few differences between them, which I’ve listed here, but XBAPs can do nearly everything that a standalone WPF application can do. That is what makes [...]

  7. JammerUK says:

    So can someone clear this up for me.

    Are XPAB’s simply just Windows Click Once Apps running in a browser? Does any code run on the web server?

    I need a WPF solution that acts like a web app where the client doesn’t see the database they only see the web server, the webserver, through the BLL and DAL, sees the database.

    Also WebServices are not an option. Any Ideas?

  8. >Are XPAB’s simply just Windows Click Once Apps running in a browser?

    Yes. But within a restricted security sandbox.

    >Does any code run on the web server?


    >Also WebServices are not an option. Any Ideas?

    Yes, webservices back to the server of origin are an option. And if you need to go to another web service, you can create a proxy service at the server of origin.

  9. [...] Now, you can try to create a WPF application with Microsoft Visual Studio 2008 Beta 2. Before that, you can create WPF application in Visual Studio 2005 but you need to install several Software Development Kit (SDK) to get the jobs done. WPF offers two main application types, which are Standalone and Browser-Hosted (XAML Browser Applications) for the developers. You can check the differences between these two application types here. [...]

  10. Epsilone3 says:

    Did Xbap and Wpf/e use the same
    custom control inherited objects ?

  11. Julio Panderi says:

    I’ve got a few questions about XBAP

    * When I use a XBAP application, where in the client machine is copied the xbap archive?

    * I need to know if it’s possible to execute other programs, in the client machine, like Ms Excel?

    Thank you

  12. Prash Geo says:

    I want to write a system which has access to a ODBC data source hosted using a web browser. I started investigating WPF application (XBAP), but it appears the applications runs on the web client rather than on a web server. Is it possible to host an XBAP on a web server and have all the database access sourced through the web server.

    Also given that WPF applications require .net runtimes loaded, is there a better programming environment that has broader access, but still with very rich user interfaces.

    The final system is a very simple online ordering system

  13. JammerUK says:

    [Article updated: July 2009]
    Its been some time since I checked this site. It seems out of date. My team and I have successfully built an enterprise application that is deployed as a partial trust xbap.

    This statment is incorrect “No calls to WCF allowed”

    Since .net 3.5 was released we have been able to make Partial Trust WCF calls.

    Potential problem areas and work arounds that remain with partial trust:

    - Can’t open child windows – Use Popups
    - Bitmaps effects – Don’t use them
    - Reflection – Reflection only works for publicly exposed members.

    If I can think of any more i will post them here.

  14. Robert says:

    It appears you can call WCF web services now, which I guess makes things easier. My problem is I still don’t know enough about WCF to really make any practical use of it. I was wondering if anyone knows of an xbap partial-trust sample that calls an external API such as Live search and returns a users search to them. That would explain how to make actual use of an XBAP in my opinion. Either REST or SOAP it doesn’t matter that much as long as I can interact with an external API. Thanks for writing this really informative post!

  15. Nimesh says:

    I dint understand one thing,
    if XBAP is browser based application means internet/intranet based application then why we need to install application on individual machine?
    we can run from any machine in a network using IE,right?

    or am i wrong,please clear my doubt.

  16. KB says:

    From what I can tell, XBAPs are just WPF apps that don’t have the ability to do anything. Really, what’s the point? I can’t see them being useful for anything but small games.

    A real app accesses data retrieved from somewhere else, manipulates it, and writes it. XBAPs don’t have access to the client or the server. So really, they have access to nothing. They are a downgrade from ASP.NET.

    For god sakes, at least give the client machine the option to allow the XBAP access. Or direct access to the server it came from. Otherwise they are a massive waste of time for developers. They will never be used to their full potential without one or the other.

  17. My says:

    I’ m so interested in XBAP but all those security stuff made me hardly focus on xbap programming itself. don’t know when to start to code.

  18. An says:

    Some more interesting stuffs with XBAP:
    1. Valil Chess:
    2. Online Word Processing:

  19. Winwab says:

    thanks for this great comparison between WPF applications and XBAP

  20. In my previous post the quote was left out…it was this:

    A real app accesses data retrieved from somewhere else, manipulates it, and writes it. XBAPs don’t have access to the client or the server. So really, they have access to nothing. They are a downgrade from ASP.NET.


  21. [...] Comparing WPF applications and XBAP – What’s the difference? By samols Comparing WPF applications and XBAP – What’s the difference here is good link [...]

  22. Losifer says:

    Some of this information seems bunk. I have writing a WPF Browser Application and have been able to make calls to tradictional webservices running on remote machines without using WCF, use bitmap effects, and do all the normal things I would be able to do with a ASP.NET website. The syntax is a little funky at first, but I’m getting fairly used to it. Am I missing something here?

  23. Walt Ritscher says:

    @Losifer. This article is over two years old. XBAP’s saw a lot of improvements in subsequent releases of .NET. The restriction on calling webservices has been removed and there are a lot of performance enhancements too.

    I guess I need to update this page to reflect the changes.

  24. Losifer says:

    An update would be great. This blog is one of the first pages to come up when you do a Google search regarding the limitations of WPF Browser Applications. I’d hate for people to be afraid to make the transition, since it is an excellent platform for rich browser applications. Obviously blog pages are never a source of factual information, but I always like to hear other developer’s feedback before I go diving into a big project. I appreciate your effort to inform developers about the advantages and disadvantages of using WPF.

  25. AndreTheGiant says:

    This has to be the best article I’ve seen explaining WPF XBAP applications. I particularly like the comparison grid showing the differences between standalone apps and XBAPS.

    Great work and thanks.

  26. Harold says:

    What seems to me to be the best solution is to use a locally installed WPF application that uses WCF to talk back to the server. I am not seeing any reason to use an Xbap over a desktop solution. The full desktop solution has none of the limitations of an Xbap.

    Seems like the same distribution conveniences are there too… with the click-once.


Leave a Reply