Should Silverlight 3's Out of Browser be Full-Trust?

Silverlight Logo

When the Silverlight 3 "Out of the Browser" support (dubbed OOB by someone other than me) I was approached by more than a few attendees wondering whether I thought that OOB meant the death of WPF. While I still contend that this is not the case, I have been forced into thinking about the OOB support in a deeper way earlier.

On Twitter, no other than Jon Galloway, Caleb Jenkins, Tim Heuer, Jusin Angel, John Papa and Brian Henderson (et al.) have had this on-going discussion about OOB and how it differs from Adobe's AIR and from in the browser Silverlight. There are a range of opinions but I thought it helpful to explain in more than 140 characters my opinion. But first some background.

For the uninitiated, the OOB support in Silverlight 3 simply allows you to install a Silverlight application to look and act like a desktop application. OOB support can install icons and check for updates on the server when launched. While this feature look and feels somewhat like ClickOnce, its very different. In OOB, your application is still running in a browser (a window hosting IE on windows and Safari on Mac).  It still lives in the same security sandbox as browser applications.

So how could this cool feature cause so much discussion? The problem is that the competition, Adobe AIR, does things very differently. Air is an interesting platform because it essentially is just a webkit with operating system-like chrome around it. Flash/Flex is one of the hosts can live in it (though you can host PDF's and AJAX HTML apps too). To run Air applications you have to download and install a second runtime.

But Air also lives in two different worlds.  You can have Air applications that act/look like their web versions and live in that same sandbox.  But for most people who have experienced Air (mostly in the form of Twitter clients), they are used to using Air applications running as desktop applications. In that state, the applications run in Full-Trust (though some of the API's to get at desktop resources seem to be treating the desktop in a non-OS specific way). (CAVEAT: I know just enough about Air and Flash to get me in trouble so if I have something wrong, please comment about it so we can get the story right.)

This is contrasted with the Silverlight OOB experience which is specifically always acting like a browser app and that pesky security sandbox. This is where the consternation comes in. There are several camps:

  • Happy with the more secure browser-like sandbox.
  • Want some changes, specifically Cross-Domain Access should be allowed.
  • Want a desktop solution that is cross-platform.  Let me access local resources too.

I happen to fall into the first camp. After living through the ActiveX world, I tend to believe that the more security the Silverlight model is, the happier I am. Because at the end of the day, most people will press "Yes" to any question if there is some reward (a casual game, a naked picture of a celebrity, free software, etc.) I want Silverlight to protect those people from themselves because when they get bitten and someone downloads their Quicken file and does dasterly things with it, Silverlight and Microsoft will be blamed.  That hurts those of us with the technology.

The other problem with the power of full-trust is that means that one day i'll have to write this code:

switch (Platform)
{
  case Platform.Windows: 
    // ...
    break;
  case Platform.Mac:
    // ...
    break;
}

Once I write this code, the game is over. Isolation from the operating system is one of the benefits here. Sure it does mean "Write One...Debug Everywhere" but at least we won't be developing with the platform in mind.

Finally: "With much power is much responsibility."  But I think we've learned that no one can be trusted with that power. That's why iPhone and XBox Live have certification of applications. Developers and script kiddies are the bad guys and if the platform is to be trusted, it has to be circumspect.

But what about the people who want some power that doesn't sound to dangerous (mostly cross-domain access)? I'd argue that this is a problem with the services mostly.  If Microsoft decided to remove this limitation, I wouldn't be terribly upset (as this causes problems consuming Azure services for Silverlight too), but I still don't think its the right fix. I may be generalizing but it seems that the only people really upset about this are writing Twitter clients (since Twitter specifically forbids web clients from accessing the API).

Caleb Jenkins' argumet that the whole cross-domain policy is a hacked protection that Flash came up with and that Microsoft is perpetuating is a compelling argument. I hear from people from time to time that the security isn't useful as its too easy to avoid by proxying through the server.  Why yes, you can do it by proxying to the server but that's the point.

I explain it to my students this way: The reason for the cross domain security is to prevent untraceable code from executing their API. Why is it untraceable?  Because when you write client code (JavaScript in a page, Silverlight, Flash, Java Applets, etc.) that runs in a browser (which means that the code didn't originate with the user's machine), the API owner can't trace the code.  My mother loves any casual game anyone promises her...she had nine IE toolbars to prove it. So when someone write a Silverlight application that promises a game, and my mother presses "Yes" and then they pound a server looking for holes, they can trace it back to my mother and that's about it. When you get around the limitation by proxying it to your server, then they can trace it to you...the code running on your server. That's why I believe cross domain security works.

So, yes I like the sandbox even if that means that Air continues to flourish. 

But what about WPF?  Let's look into the future and imagine a WPF 4/Silverlight 4 world where they are pretty close to each other.  Then a development of an Air competitor to allow you to run your WPF apps cross operating system with full-trust makes sense.  But it would require an install to make sure that the user knows that's what is happening. I'd be ok with that.  But trying to shoe-horn it into OOB I think is a misake.

Now...what do you think?  (And don't be gentle.)

Comments:

Gravatar

There are already proof of concept and workarounds to make a silverlight 3 application gain full trust or pass the cross domain issue. so i think you are right with the idea of preserving the secure and the deploy everywhere easily mantra.

However those who do want to develop full trust apps with SL3 should have a official secondary way to make that happen without developing workarounds themselves.

in any way if official or not. those who want full trust SL# apps will have to appeal to the user, so the user downloads and installs whatever is needed to add that edge.

Avatar X (Posted Saturday, April 11, 2009 )

Gravatar

While I think perhaps a FullTrust solution should exist (though arguably, there is for most dev's that don't need cross-platform) in WPF/XBAP. (I know XBAP FullTrust is hard, but its possible.)

I would rather they defer FullTrust or x-domain until Silverlight 4 so they can solve it right than shim it into the package.

Shawn Wildermuth (Posted Saturday, April 11, 2009 )

Gravatar

I think Silverlight should stay in the browser and WPF should stay on the desktop. If we are going to put Silverlight on the desktop with fulltrust etc, then may as well stop trying to cram the framework into 4Mb and make it a requirement to have the .net framework installed to run either. Merge Silverlight and WPF into one. That of course means either no cross platform, or you need to come up with a .net framework that runs on everything.
I don't think thats the way to go.

Stephen Price (Posted Saturday, April 11, 2009 )

Gravatar

I think security should come first whatever the decision is.

It's so easy to abuse these current setups. ie. AIR has alot of potential/real security risks to it.

The key to me with WPF and clickOnce - which is great - is for the team to reduce the needed .NET framework size, perhaps by only installing what is needed. That is one of the beauties of Silverlight runtime - 4 megs, and it's quick and easy to install.

Steve (Posted Saturday, April 11, 2009 )

Gravatar

I personally am in the second camp. Air's killer app is tweetdeck, and right now doing something similar requires a cross-domain proxy. The problem with this is that this way you credentials also go through the proxy, and I personally would be pretty worried to use such a software. Also, maintaining a proxy can be cumbersome and expensive, too.

Of course, with cross domain allowed, password theft may still be an issue - a twitter client could report the password back home. The solution to this problem may be if SL only allows connections to one domain, whether it is the originating or some other domain. Upgrades would have to work from the originating domain of course.

András Velvárt (Posted Saturday, April 11, 2009 )

Gravatar

I really like OOB Silverlight applications on the desktop, especially for forms-over-data line of business applications. However, if you want a XAML based, full trust application, build it in WPF. WPF clients can talk to a web services pretty much the same way Silverlight clients do, and it really is not that difficult to share code and resources between the platforms. Please, please, please don't encumber my OOB Silverlight install with all the security checks and prompts needed for Click Once.

Tim Binkley-Jones (Posted Saturday, April 11, 2009 )

Gravatar

While what I'd really like is a write-once, debug-once, cross-platform WPF, I don't think Silverlight should go there just yet. Let's get some solid adoption before we risk anything that could potentually hurt adoption.

Pete

Pete (Posted Saturday, April 11, 2009 )

Gravatar

I love WPF. And I love Silverlight. But I hate seeing them being so different. That's why I think WPF (in its current state) is a sort of a dead end. They should more or less be a single "entity", with only one name; and WPF should properly *extend* Silverlight feature set instead of what we have now - two similar, but different frameworks. What should be built and packaged for deployment, should be settable at design/build time. Instead of "New Silverlight (or WPF) Project", I would like to have "New XXX Project" shortcuts in Visual Studio, along with configurable options like "Targeted platform(s)", "Full/Partial trust", "Enable hardware acceleration", etc... Based on this, the application would be built and deployed with the right set of assemblies. And of course Visual Studio would block those assemblies/features, which can't be used in the targeted scenario.
With this, developer shouldn't bang his head around choosing Silverlight/WPF-desktop/XBAP, but develop a single solution and probably ship it with different features and/or security context, on different systems. The app could also run with limited trust when inside the browser and full trust (if required) when broken out of it. But there should be something more than just a yes/no prompt when switching to OOB and the app requires full trust.

Andrej Tozon (Posted Saturday, April 11, 2009 )

Gravatar

My impression has always been when people want full trust for silverlight what they really mean is they want WPF to run on Mac and Linux.

Aaron Fischer (Posted Saturday, April 11, 2009 )

Gravatar

The real problem is not out of browser, is deconnected applications. For that, we'll need a database - SQL Compact? - to run locally, and it is not possible in isolated storage.

I thing this is the real problem, not credentials.

Marcos Tabaj (Posted Saturday, April 11, 2009 )

Gravatar

I belive that Microsoft is going to use the same specs than Flash Air. My modest and personal opinion, of course
Cheers
Al
http://alpascual.com

Al Pascual (Posted Saturday, April 11, 2009 )

Gravatar

I lean (slightly) towards yanking out the cross-domain policy stuff altogether. It has only limited security uses (see Caleb)... and it's certainly a barrier for accessing any cloud services.

The potential disadvantage of yanking cross-domain is that it might lead to a security black-eye for Silverlight. Yikes.

I'm mostly in the middle, but I do have a burgeoning hatred of that file.

Erik Mork (Posted Saturday, April 11, 2009 )

Gravatar

Al,

I don't disagree but I can't imagine that it is going to happen in the short term (e.g. SL3).

Shawn Wildermuth (Posted Saturday, April 11, 2009 )

Gravatar

Okay, I am a bit of an Air fan. But I do think Silverlight will benefit by having an OOB platform.
For Flex/Flash we have Air. For Ajax we have Gears and Air. Right now Silverlight is chasing the others.
Gears and Air are leveraging SQLLite and harddrive space for storage. Pretty powerful stuff when well architected.
The key to the OOB concept is the fact that you can develop desktop applications with the same skill set you used for web development. While tweetdeck was mentioned as the killer Air app I can state with confidence that it is trivial compared to some of the Air apps I have seen used behind the firewall. When you talk about OOB and then talk about crossdomain I think the true strength is being overlooked. The ability to use the http protocal allows us to sync up, but if all you are doing is creating web mashups then why bother with oob.

Adrian Pomilio (Posted Sunday, April 12, 2009 )

Gravatar

Shawn,

Lots of good points for all camps, and I am sure there are other variations too. I like Silverlight's OOB as it is: secure and worry-free-platform. I would not be willing to give up the security of living int he sandbox nor the platform independent code to gain local resource accessibility nor any other desktop feature. To me those 2 features alone are what make a compelling argument to use Silverlight in many cases.

Regarding cross domain files, I admin the whole policy file has given me sleepless nights. It does not bother me as much as it does some people, but I could care less if it disappeared, too. I used a similar argument that to you use here regarding cross domain policy files and some prominent people told me it had nothing to do with tracking down where the requests came from. if that's true then I their reason for exiting is lessened IMHO. I'd like to see them go away, but if they don't I deal. Its not a deal breaker to me.

John Papa (Posted Sunday, April 12, 2009 )

Gravatar

I disagree that you'd have to write switch(Platform) statements in _application_ code. That just implies poor design.

If you find you have to interact with something platform specific, write an abstraction and put it in a separate assembly. One for each platform. Using an IoC / DI framework like Unity or Windsor would then allow you to resolve the appropriate implementation for the current platform based on external configuration.

Stuart Carnie (Posted Sunday, April 12, 2009 )

Gravatar

By the way, there are already examples of using Silverlight with Gears.

Gears is not exclusive to Adobe Air.

http://www.mojoportal.com/silverlight-google-gears-awesome-at-least-in-firefox.aspx

I hear all the time how MS needs to make Gears. I don't see why if Silverlight developers just 'use' Gears

I'm I missing something here or is there just a lack of understanding they can play nicely together ?

Steve G (Posted Sunday, April 12, 2009 )

Gravatar

Current level of trust is appropriate - I say re-evaluate as things evolve - opening the door too much could actually make Silverilght be used less

David Yack (Posted Sunday, April 12, 2009 )

Gravatar

Personally I consider the sand box to be a huge advantage. I've found that with the vast majority of applications I've written the limitations of the sand box are easily circumvented by supplying the necessary support on the server, and that's how a cloud application should usually be written anyways. I would prefer that Silverlight maintain the sand box, so users can know that they can trust my application. In the event that MS decides to add support for fully trusted cross platform applications I would prefer that they did so with a different run time; perhaps a .Net Framekwork for the Mac or something.

Edgar (Posted Monday, April 13, 2009 )

Gravatar

Hi Shawn, I am unable to get the security remifications of "full-trust" mode. Isn't that how most desktop applications are working right now ? You can write a desktop application that can steal your quicken/quickbook files.

The only difference between Desktop and Silverlight is, people install Desktop software. I think similarly silverlight should allow full-trust after a big message box :). In the end we have 2 things : 1) Developer can decide if he wants to request Full-Trust and 2) User agrees or rejects to grant full-trust.

Parag Mehta (Posted Monday, April 13, 2009 )

Gravatar

There is what I would like, and what is realistic. Air is a wrapper around the OS, and the reason I can hit things at the os is because adobe has written apis to do this. In order to do this w/ out of browser silverlight would be more so to extend the even more parts of the full clr to os x, and to use mono on linux. Although I would LOVE to build wpf like experiences on OSX, and windows at the same time... I doubt this will ever be a reality.

Mike Wolf (Posted Monday, April 13, 2009 )

Gravatar

Hi Shawn,

I agree with you. The sandbox is an advantage and benefit. It would be nice to have full WPF for Mac, but I don't think Silverlight OOB is the way to get there.

I tend to think in most cases, we should just come up with creative alternatives instead of falling back to the "must have full trust" mode. There are things that Silverlight can do to help address needed scenarios without just falling into full trust. Not to mention, given the explicit transparent security model for Silverlight, it would be no small thing for them to change it to allow for elevation. There are far more important uses of the Silverlight teams' time, IMO.

Maybe I'm wrong, though. :)

J. Ambrose Little (Posted Monday, April 13, 2009 )

Gravatar

I would prefer sandbox, but with certain additional features like notifications and these app should use OS std. add/remove s/w interface.

anon (Posted Saturday, April 18, 2009 )

Gravatar

Does the world need another Web browser? Why not just collaborate with Mozilla on Firefox? Webkit http://www.frogmix.com/search/webkit + Firefox + Chrome stand a better chance together rather than apart, don’t they? Feels to me like the million Linux distros and their corresponding desktops. If they could all get together, users would be better off.

mike (Posted Thursday, May 28, 2009 )


 



 
Save Cancel