IE9 - XBAPs Disabled in the Internet Zone

As I mentioned last month, .NET Framework XAML Browser Applications (XBAPs) are now prevented from loading from the Internet Zone in IE9. When visiting an Internet site that utilizes an XBAP, an error message is shown, indicating that the application type has been disabled:

IE Screenshot showing disabled XBAP

XBAPs are a powerful technology based on .NET Framework technologies, but they are not commonly used on the Internet. Our crawls of the top 100,000 websites found no uses of the technology.  We know that many customers use XBAPs on internal sites and, as such, these applications remain enabled in the Local Intranet, Trusted, and Local Machine zones.

The mechanism used to implement this change is simple; IE9 Setup adjusts the existing URLACTION_WINDOWS_BROWSER_APPLICATIONS (0x2400) to Disable (0x3) for the Internet Zone, and adjusts the Medium-High security zone template to match. Group Policy or end-user configuration of the XAML Browser Applications setting inside Tools > Internet Options > Security settings permits enablement of XBAPs for the Internet zone, although this is not recommended. Instead, to unblock any scenarios where XBAPs are needed for Internet sites, end-users or IT Administrators may add an XBAP’s origin to the Trusted Sites list, using either the Internet Control Panel’s Security Tab or by using the site-to-zone assignment feature of Group Policy.

One caveat to keep in mind is that the .NET Framework evaluates the URLAction based on the origin of the XBAP. In the case where a HTML document utilizes a cross-origin XBAP, the URL of the XBAP is mapped to a Zone and the Zone settings for that zone are consulted; the outer document’s URL is not considered.

One common question is “Why did you change this setting to Disable rather than Prompt?

We elected not to change the URLAction’s value to prompt as our research shows that users tend not to make good choices in any of our legacy modal security prompts. We’ve done significant work in IE9 to nearly eliminate the modal prompts. Worse still, the XBAP URLAction was never in the set with a descriptive prompt message, so the user-experience in the “Prompt” state isn’t a good one:

Screenshot of unhelpful Prompt message

Application developers using XBAPs in the Internet Zone should consider moving to other distribution mechanisms. For instance, ClickOnce executables have a lightweight trust experience and don’t require Zone changes on the part of the user.

-Eric Lawrence

PS: Also, please note that if the IE9 ActiveX Filtering feature is enabled, XBAP contents will be blocked even in the Trusted Zone. The user may unblock ActiveX and XBAPs using the blue icon at the right-side of the address bar.