Creating A Full Trust Avalon Web Browser (.xbap) Application

  • Article

I recently needed to create a full trust .xbap application on the November CTP.  As you may know, Avalon Web Browser applications run in a sandbox, which allows them to be installed without any security prompts.  However, there are cases, such as intranet applications, where allows an in-browser application to do more makes sense.  It took some help from the Avalon team to know how to make this work, which I thought I'd share to the world.  For some more links on this, see:

https://windowssdk.msdn.microsoft.com/library/default.asp?url=/library/en-us/dv_fxdeploy/html/b24a1702-8fbe-45b1-87a0-9618a0708f1d.asp?frame=true

and

https://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/2c03582f-00b2-43e5-ae1d-493894ad0fd7.mspx

 Here are the steps:

1. Change the TargetZone of the appliction to custom.  This can be done manually by hacking the .proj file or can be done in Visual Studio by going to Project Properties, going to the Security tab, and changing the dropdown to (custom).

2. Add the Unrestricted="true" attribute to the manifest of the appliction, which is located in the Properties folder.  The manifest should look something like this:

<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<applicationRequestMinimum>
<defaultAssemblyRequest permissionSetReference="Custom" />
<PermissionSet class="System.Security.PermissionSet"
version="1"
ID="Custom"
SameSite="site"
Unrestricted="true" />
</applicationRequestMinimum>
</security>
</trustInfo>
</asmv1:assembly>

 

3. Deploy the application using the Visual Studio Publish Wizard.

4. If you launch the application from the file system aka local zone, all will be hunky dory.  However, if you want to deploy this from the web, the certificate used to sign the manifest will have to be added to the Trusted Publishers store within Internet Explorer.  By default, VS generates a .pfx key when you create a Web Browser application.  Of course, real deployments, a company issued certificate would be more appropriate to use.  Getting a cert into the store can be done by double clicking the cert or by using the certmgr tool with the appropriate commandline switches.