There is a concept in this, what is the trust environment? What is a partial trust environment?
The answer is that the environment that runs the code on the local computer is the trust environment, such as the machine code's running environment, the local computer. NET's IL code, the environment in which code is run (loaded from outside the local computer) is a partial-trust environment (such as a JavaScript script's running environment is a browser and a Silverlight application's operating environment is the Silverlight version of the CLR), Code in a partial trust environment is typically loaded from the network.
The name of the sandbox is very vivid, and we can think of it as a box to isolate the local running environment so that the code in the sandbox does not have access to native resources and code. browsers and Silverlight running environments, e-mail messages, and so on are all sandboxed.
For Silverlight applications, the sandbox in which it runs is the Silverlight CLR, but the maximum allowed access is its HTML page, which can manipulate the DOM and JS code on the HTML page. You can also access resources in Silverlight isolated storage. But, in addition to these, must not access the client's computer on the other resources, otherwise it would be like a virus.
Description: Silverlight 4 and later applications running outside the browser can be configured to run in a trusted environment, bypassing many sandbox functionality restrictions. You should be careful when creating these types of applications.
There are two code types in Silverlight: Platform code and application code. "Platform Code" is an API provided by the Silverlight runtime and SDK. "Application Code" is code that you write using platform code.
The Silverlight code has three levels of security, from low to high, respectively: transparent, security-critical, and critical. All application code is transparent code.
Critical code is code that performs operations outside the security sandbox, such as writing to the file system. Security-critical code is a layer of code at the top of the critical code to help ensure that the call is safe. Platform code can be transparent, security-critical, or critical. The following figure shows three security levels.
As we can see from the diagram, transparent code can invoke security-critical code, and security-critical code can invoke critical code, but transparent code cannot call critical code directly or it methodaccessexception exceptions.
Transparent code in Silverlight applications has the following limitations:
-
Cannot contain code that cannot be validated. This means that all code must be verifiable as type safe.
-
Native code cannot be invoked through P/invoke or COM interop.
-
Critical code or data cannot be accessed unless the target is marked as security-critical.
Security-critical code can help ensure that transparent code performs critical operations securely. Security-critical APIs typically perform various checks before passing a control to a critical API, including validating incoming parameters and ensuring application state support continues to be invoked. When a security-critical call is allowed to continue, it invokes a critical method on behalf of the caller or executes the action directly.
For example, an operation that writes content to a file system is implemented as a critical code. To be able to access persistent storage in the file system, Silverlight provides a security-critical feature called isolated storage. When the Silverlight application invokes the isolated storage API, the API verifies the request by ensuring that the application is requesting a valid file and that it does not exceed its storage quota. The isolated storage API then invokes the critical API to perform the actual work of reading and writing hard drives.
Security-critical code can also be used in another way-requiring a user to start-to ensure the security of the call. This means that to use some of the features of Silverlight, you must request user input. For example, a user must click a button to display OpenFileDialog. If you try to display OpenFileDialog without user input, a SecurityException appears. By requesting user input to enable many features, Silverlight can make it clear to the user which applications they run are requesting elevated privileges. Here is a list of features that require a user to start:
|
Application features
|
More information
|
|
File system access
|
File system access is restricted, and most dialog boxes must be user-initiated. For more information, see Dialog Box overview.
|
|
Full-screen mode
|
Full-screen mode must be a user-initiated and display a message about how to exit the mode. When the user presses the ESC key or switches to another window, the application automatically exits Full-screen mode. For more information, see full screen support.
|
|
Network Camera and microphone support
|
The use of a network camera or microphone must be user initiated. The user must grant permissions in the security prompt.
Silverlight 4 and later.
|
|
Print
|
The Print dialog box must be started by the user. For more information, see Printing.
Silverlight 4 and later.
|
|
Clipboard access
|
Clipboard access must be initiated by the user. The user must grant permissions in the security prompt. The permission ends when the current page is closed or when the user leaves the current page. For more information, see Clipboard.
Silverlight 4 and later.
|
To specify a security level, you should add properties to platform code. All application code must be transparent and the security attribute tag should not be used. If the application code is marked with a security attribute, the property is ignored and an exception occurs when an unsafe call is attempted.
