Some Silverlight functionalities are blocked in Safari sandbox

Applies to: Microsoft Silverlight 5

Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.

Summary


Apple Safari 7 is released for the first time with Macintosh OS X 10.9 Mavericks and has a feature known as "Sandboxing" for a browser plug-in environment. This feature prevents Microsoft Silverlight from using certain system functionalities. Sandboxes implement an artificial "wall" between the browser plugin and the operating system. They block the usage of certain system functionality that has the potential to be used maliciously.

Sandboxes and other plug-in limitations are becoming increasingly common for browsers that support plug-ins:  Internet Explorer has a similar mechanism, and other web browsers are also increasing their scrutiny of plug-ins.

Symptoms


Some Silverlight functionalities are blocked by the Safari 7 sandboxing feature because they require some capability that Safari does not allow for. To check whether an action is blocked, you can open /Applications/Utilities/Console.app, select All messages. When you perform the action, it will produce one or more messages on the system console with sandbox in the name.

The features that are blocked by sandbox may change over time even though Silverlight is fully compatible with Safari. For now, the following Silverlight features do not work in Safari when the sandbox environment is enabled for website.
  • Installing an application Out of Browser (OOB)
    Safari blocks only the action of installing the OOB App. For example, the Install this program on your computer option from the Silverlight shortcut menu.  When the App is installed, the OOB function works correctly and is not blocked by sandbox. To work around this issue, you can use another browser, such as Mozilla Firefox, to install the App.
  • LocalMessageSender/Receiver
    This developer functionality uses an implementation that is forbidden by the sandbox feature. Developers should migrate from LocalMessage-based inter-process communication (IPC) to Transmission Control Protocol (TCP-based) communication if they need to communicate with other programs or Silverlight instances.
  • Webcam and Microphone access is blocked.
  • Writing files to users' file system, such as downloading applications.
  • Printing from Silverlight directly, a feature that is available to developers. The browser printing functionality still works correctly.
  • Increasing the Isolated Storage beyond its initial size of about 5 MB. Developers should rely on downloaded data instead of putting large files in isolated storage, or migrate their App to run OOB which is unaffected.
Other functionality may also be blocked. When Silverlight detects that its functionality is blocked, it will provide an error dialog linking to this Knowledge Base article. However, Silverlight cannot detect all functionality that is blocked by the sandbox because some functionalities are not reported directly by the operating system.   

Workaround


To work around this issue, allow the website to run in "Unsafe" mode. You can do this on a per-site basis.

Warning After you perform this method, Safari trusts the Silverlight site, and allow it to run outside the sandbox. This may cause security risks because a security mechanism of the browser is disabled. We recommend that you only follow these steps when it is required for sites or content that you trust.

To allow a specific site to run without the Sandbox in Safari, follow these steps:
  1. Visit the Silverlight site that you want to allow to run.
  2. Select Preferences… from the Safari menu.
  3. Select the Security tab from the preferences screen.
    Security
  4. Select the Managed Website Settings… button in the lower-right corner.
  5. Select Silverlight on the left side. If it is not found, verify that you are navigated to the correct site, and that site uses Silverlight.
  6. At the pull-down for your site, click Run in Unsafe Mode.
    Run in Unsafe Mode
  7. Select Trust from the dialog that appears.
    Trust

More Information