Silverlight code has three security levels: Transparent, SafeCritical, and Critical.

Transparent code is code that cannot elevate the permissions of the call stack. This means that Transparent code can only run with the same permission level as its caller. All application code is Transparent code.

Critical code is code that has the ability to perform operations that are outside the security sandbox, such as writing to the file system.

SafeCritical code is a code layer on top of Critical code that helps to ensure calls are safe. Platform code can be Transparent, SafeCritical, or Critical. The following illustration shows the security levels.

Dd470128_SL_SecurityModel(en-us,VS_95)

Transparent code will not allow any security check to succeed, although it can cause the check to fail; typically throwing a MethodAccessException. If Transparent code attempts to call Critical code directly, a MethodAccessException is thrown.

Transparent code in Silverlight applications has the following restrictions:

  • Cannot contain unverifiable code, meaning all of the code must be verifiably type-safe.
  • Cannot call native code via a P/Invoke or COM interop.
  • Cannot access Critical code or data unless the target is marked SafeCritical.

SafeCritical code helps to ensure that it is safe for Transparent code to perform critical operations. SafeCritical APIs typically do various checks before passing control to a Critical API, including validating incoming parameters and ensuring that the application state is acceptable for the call to continue. Once a SafeCritical call is allowed to proceed, it invokes a Critical method on the caller's behalf or performs the operation directly.

Writing to the file system is implemented as Critical code. In order to provide access to persistent storage in the file system, Silverlight has a SafeCritical feature called isolated storage. When a Silverlight application calls an isolated storage API, the API validates the request by making sure that the application is requesting a valid file and is not over its storage quota. Then, the isolated storage API calls the Critical APIs to perform the actual work of reading or writing to the hard disk.

Using the SaveFileDialog and OpenFileDialog classes are another SafeCritical way to access the file system. If you use these dialog boxes and the application attempts to access the file system in a way that is not user-initiated, an exception will occur.