Silverlight 4 Security Overview White Paper

re: Silverlight 4 Security Overview White Paper

ganshani.com — Mon, 28 Dec 2009 12:29:53 GMT

trackback from:

http://www.ganshani.com/2009/12/28/silverlight-4-security-overview-white-paper/

re: Silverlight 4 Security Overview White Paper

Cain — Wed, 02 Dec 2009 07:10:23 GMT

Yea, I second Sebastians request... having as much socket support as possible is critical in my opinion, and the arbitrary restrictions are pretty cramping

re: Silverlight 4 Security Overview White Paper

Nick Kramer [MSFT] — Tue, 24 Nov 2009 01:19:34 GMT

@Luigi -- SL’s default networking stack, BrowserHttpWebRequest, leverages the browser to handle authentication, this works in SL3. SL 4 enables an application author to control authentication using ClientHttpWebRequest for authentication protocols such as NTLM, Basic and Digest.

@Philip -- new attachment is .doc

@Walter -- the bulk of this paper applies equally well to SL3, I've tried to call out everything that was specific to SL4 using the "SL4beta" tag.

@Hans -- I'm not sure about the serialization part, but Silverlight 4 supports a limited form of private reflection known as "restricted member access". Basically, you can reflect against private & internal methods, as long as they come from non-platform assemblies. Internals/privates in platform assemblies are still off-limits. (Here, platform assemblies means Silverlight Runtime -- you can reflect against SDK assemblies)

@Sebastian -- in SL4 beta, trusted apps still have port restrictions around sockets, we are investigating lifting that limitation for the final version (trusted apps only). We don't currently have plans for listening TCP sockets in SL4.

Thanks.

re: Silverlight 4 Security Overview White Paper

Sebastien Pouliot — Mon, 23 Nov 2009 22:27:21 GMT

Hello Nick,

The document states that, under elevated trust, sockets are allowed without policy files (great). Is the port restriction gone too ?

And is there any listening (tcp) sockets story coming up ?

Thanks for sharing!

Sebastien

re: Silverlight 4 Security Overview White Paper

Hans — Mon, 23 Nov 2009 05:22:11 GMT

Hi Nick,

Will Silverlight ever get real serialization via reflection like full trust WPF apps has? I understand allowing reflection is a security issue but with the new "elevated trust" mode - why not allow it there?

We have a very strict domain model today which requires serialization to work with fields only and this has been impossible in both SL and medium trust WPF apps.

We want to be able to use our domain model in both the Silverlight app and the WCF server side and we cannot resort to using attributes only like RIA services suggests as this would seriously compromise the domain model of our entire architecture.

Thanks,

Hans

re: Silverlight 4 Security Overview White Paper

Walter Wong — Sun, 22 Nov 2009 15:47:54 GMT

Hi Nick,

I think developers need to learn how to write secure code for SL3 as well. Since you already wrote the article about it on point #3, why not just told us which are also applicable fo SL3.

from

Walter (DevSec MVP)

re: Silverlight 4 Security Overview White Paper

Nigel — Sat, 21 Nov 2009 10:50:52 GMT

Same question as above, is basic authentication implemented?

Nigel

re: Silverlight 4 Security Overview White Paper

Philip — Fri, 20 Nov 2009 10:39:26 GMT

Nick,

Could you please attach a doc version of the paper as well.

Thank you in advance

re: Silverlight 4 Security Overview White Paper

Luigi — Fri, 20 Nov 2009 09:39:44 GMT

Thanks very usefull.

Is the HTTP Basic authentication implemented on SL 4 ?