Silverlight2 Security


Published on

Silverlight2 Security

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Silverlight2 Security

  1. 1. Silverlight2 Security Microsoft Korea Next Web Team Reagan Hwang / UX Evangelist
  2. 2. Application Code
  3. 3. Silverlight 2 Application Security Model
  4. 4. How Silverlight 2 processes application code
  5. 5. More Silverlight Application Security <ul><li>All applications written for Silverlight are security transparent.  This means that they cannot: [ details ] </li></ul><ul><ul><li>Contain unverifiable code </li></ul></ul><ul><ul><li>Call native code directly </li></ul></ul><ul><li>Silverlight applications can access public methods exposed by platform assemblies which are either: [ details ] </li></ul><ul><ul><li>Security transparent (neither the defining type nor the method has any security attributes) </li></ul></ul><ul><ul><li>Security safe critical (the method has a SecuritySafeCriticalAttribute) </li></ul></ul><ul><li>Silverlight applications may contain types which derive from: [ details ] </li></ul><ul><ul><li>Other types defined in the application </li></ul></ul><ul><ul><li>Unsealed, public, security transparent types and interfaces defined by the platform </li></ul></ul><ul><li>Silverlight applications may contain types which override virtual methods and implements interface methods which are: [ details ] </li></ul><ul><ul><li>Defined in the application itself </li></ul></ul><ul><ul><li>Defined by the platform and are transparent or safe critical </li></ul></ul>
  6. 6. HTML Bridge
  7. 7. Security Settings in HTML Bridge <ul><li>The EnableHtmlAccess parameter , which is set on the Silverlight plug-in on the host page, prevents a malicious cross-domain Silverlight-based application from accessing the host page's JavaScript and DOM code. </li></ul><ul><li>The ExternalCallersFromCrossDomain deployment manifest attribute prevents a malicious cross-domain host from accessing scriptable properties, methods, or events that are exposed by the Silverlight-based application. </li></ul><ul><li>The AllowHtmlPopupwindow parameter, which is set on the Silverlight plug-in on the host page, controls pop-up windows that are opened by cross-domain Silverlight-based applications. When this attribute is set to false (the default when the Silverlight control is loaded from a different domain than the containing page or hosting iframe), a developer cannot call PopupWindow . </li></ul>
  8. 8. from Silverlight to JavaScript <ul><li>The enableHtmlAccess parameter is set on the Silverlight plug-in. It enables managed code in the .xap file to access the JavaScript and DOM code on the host page. This parameter can be set only during plug-in initialization, and is read-only afterward. For same-domain applications, the parameter is set to true by default, and you do not have to explicitly set its value in code. For cross-domain applications, the parameter is set to false by default, and you have to explicitly enable it, as shown in the following host page HTML code. </li></ul><ul><li>When the enableHtmlAccess parameter is set to true, as shown in the previous example, the following HtmlPage properties are enabled: </li></ul><ul><li>HtmlPage..::.Document </li></ul><ul><li>HtmlPage..::.Window </li></ul><ul><li>HtmlPage..::.Plugin </li></ul><ul><li>HtmlPage..::.BrowserInformation </li></ul><div id=&quot;silverlightControlHost&quot;> <object data=&quot;data:application/x-silverlight-2,&quot; type=&quot;application/x-silverlight-2&quot; width=&quot;300&quot; height=&quot;100&quot; <param name=&quot;source&quot; value=&quot;;/> <param name=&quot;enableHtmlAccess&quot; value=&quot;true&quot; /> // for cross-domain application </object> </div>
  9. 9. enableHtmlAccess Workarounds <ul><li>When the enableHtmlAccess parameter is set to false, direct access to JavaScript or DOM elements and objects is not possible. However, individual, specific access can be programmatically re-established in the following cases: </li></ul><ul><ul><li>Silverlight code exposes one or more scriptable entry points that accept ScriptObject references as input parameters. </li></ul></ul><ul><ul><li>Silverlight code explicitly registers the scriptable entry points by calling the RegisterScriptableObject method. </li></ul></ul><ul><ul><li>Access to scriptable entry points is not disabled with the ExternalCallersFromCrossDomain attribute. </li></ul></ul><ul><ul><li>JavaScript code accesses the plug-in's Content property, obtains a reference to one of the scriptable entry points, and passes a DOM object or JavaScript object reference as an input parameter. </li></ul></ul><ul><li>These conditions cannot occur by accident. The Silverlight managed code and the JavaScript code must each be written specifically to allow mutual access. </li></ul><ul><li>Silverlight managed code can obtain the value of the plug-in's enableHtmlAccess parameter by getting the Settings..::.EnableHTMLAccess or HtmlPage..::.IsEnabled property. </li></ul>
  10. 10. from JavaScript to Silverlight <ul><li>The ExternalCallersFromCrossDomain attribute accepts two values: ScriptableOnly and NoAccess . </li></ul><Deployment xmlns=&quot;; xmlns:x=&quot;; EntryPointAssembly=&quot;MyAppAssembly&quot; EntryPointType=&quot;MyNamespace.MyApplication&quot; ExternalCallersFromCrossDomain=&quot;ScriptableOnly&quot; > <Deployment.Parts> <AssemblyPart Source=&quot;MyAppAssembly.dll” /> <AssemblyPart Source=&quot;MyUserControl.dll&quot; /> </Deployment.Parts> </Deployment>
  11. 11. ExternalCallersFromCrossDomain Workarounds <ul><li>When the ExternalCallersFromCrossDomain attribute is set to NoAccess, direct access to Silverlight managed code is not possible. However, individual, specific access can be programmatically re-established if the following conditions are true: </li></ul><ul><ul><li>The Silverlight plug-in's enableHtmlAccess property is set to true. </li></ul></ul><ul><ul><li>Silverlight managed code calls a JavaScript function and passes one or more managed objects as input parameters to the Invoke , InvokeSelf , and SetProperty methods. </li></ul></ul><ul><ul><li>The managed instances passed in the previous step have scriptable properties, methods, or events, and the objects have been registered for scriptable access by using the RegisterScriptableObject method. </li></ul></ul><ul><li>These conditions cannot occur by accident. They require explicit steps by the cross-domain Silverlight-based application to pass managed objects to the host's JavaScript. </li></ul><ul><li>You can get the current value of the ExternalCallersFromCrossDomain attribute from the ExternalCallersFromCrossDomain read-only property. This property returns a CrossDomainAccess value that indicates the access level of cross-domain callers. </li></ul>
  12. 12. HTTP communication
  13. 13. Default HTTP Support <ul><li>Same-domain calls are always allowed. </li></ul><ul><li>When the Web server hosting the Web services is appropriately configured, cross-domain and cross-scheme calls are supported. </li></ul><ul><li>All communication is asynchronous. </li></ul><ul><li>Only GET and POST verbs are supported. </li></ul><ul><li>Most standard and all custom request headers are supported. (Headers must be allowed in the cross-domain policy file before they can be set on cross-domain requests.) </li></ul><ul><li>Only 200 OK and 404 Not Found status codes are available. </li></ul>
  14. 14. HTTP Communication Scenario
  15. 15. Same Domain
  16. 16. Cross Domain <ul><li>Silverlight cross-domain policy file (clientaccesspolicy.xml) </li></ul><ul><li>A subset of the Adobe Flash cross-domain policy file (crossdomain.xml) </li></ul><ul><li>Redirects on cross-domain policy files are not allowed. However, a Silverlight-based application will follow a redirect for a target resource. The resource can be retrieved only if access is granted by the following: </li></ul><ul><li>The cross-domain policy file at the domain indicated by the original URI before redirection. </li></ul><ul><li>The cross-domain policy file at the domain indicated by the final URI after all redirections. </li></ul>
  17. 17. Cross-Domain Policy File Example Network Security Access Restrictions in Silverlight 2 (more crossdomain policy file) <?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?> <access-policy> <cross-domain-access> <policy > <allow-from http-request-headers=&quot;SOAPAction&quot;> <domain uri=&quot;*&quot;/> </allow-from> <grant-to> <resource path=&quot;/services/&quot; include-subpaths=&quot;true&quot;/> </grant-to> </policy> </cross-domain-access> </access-policy>
  18. 18. URL Access Restrictions in Silverlight 2
  19. 19. Reference <ul><li>Security Settings in HTML Bridge </li></ul><ul><li>Silverlight MD5 implementation - Home </li></ul><ul><li>Dr. Dobb's | The Silverlight 2.0 Security Model | 3Ô 9, 2008 </li></ul><ul><li>.NET Security Blog : Silverlight Security Cheat Sheet </li></ul><ul><li>.NET Security Blog : Silverlight Security III: Inheritance </li></ul><ul><li>.NET Security Blog : Silverlight Security II: What Makes a Method Critical </li></ul><ul><li>.NET Security Blog : The Silverlight Security Model </li></ul><ul><li>CLR Inside Out: Security In Silverlight 2 </li></ul><ul><li>Calling secure (SSL) services from Silverlight 2 </li></ul><ul><li>HTTP Communication and Security with Silverlight </li></ul>