Summary of the differences between XBAP and Standalone WPF applications

Standalone WPF applications

A standalone WPF application is one that is compiled into an EXE and placed on the users computer via any of the standard installation techniques.  If installed to the local hard drive it has the default security settings of Full Trust.  Naturally this security setting can be modified by an administrator to a more restrictive set of permission.

XAML Browser Applications (XBAPs)

A XBAP application is a WPF application.  It is not installed in the traditional sense however. Instead the user runs the application by going to a specific URL on the Web.  If they navigate to a URL that ends with an xbap extension (http://www.somesite.com/fakeapp.xbap)  using Internet Explorer the application just runs.  This is sometimes called Click-Zero deployment because the user is not prompted to ‘install’ the application.

As stated above XBAPs are not installed in the traditional sense.  Instead they are stored in the browser cache.  There is no way to run the cached XBAP application except by browsing to the URL once again.  If the version on the server has not changed then the cached copy is run.  If a newer version of the XBAP is found on the server then the cached copy is replaced with the new version before the application is started.

A key advantage of XBAPs is that they provide a prompt free installation.  The downside of this approach is there is a huge security risk involved with allowing applications to install and run from the Web.  Therefore all XBAPs are run in a restrictive security sandbox under partial trust.  In other words, they are allowed to use certain .NET libraries but banned from accessing others.

Here is a comparison of the features.

Feature Standalone XBAP
Installed Installed on users computer. Not installed on the client’s computer.
Start Menu Appears in Start Menu. Does not appear in the Start Menu.
Control Panel: Add/Remove Programs Appears in the Add/Remove Programs. Does not appear in the Add/Remove Programs.
Installment methods Installed via XCopy, Windows Installer (MSI) or ClickOnce. Are automatically deployed via ClickOnce.

YourApp.xbap is really a ClickOnce deployment manifest.

Code Access Security Runs in Full Trust unless modified by Administrator. Runs in Internet Zone .
Sandbox restrictions N/A if run as Full Trust. Run as Full Trust.
Process Runs in its own standard OS window. Runs in PresentationHost.exe
Presentation host is registered as the shell and MIME handler for *.xbap files.
Automatic Updates Standalone apps are not automatically updated. Developer must write auto updating framework or use the Microsoft ClickOnce system. Newer version on server is always used.
Offline access Application works if offline. Cannot run XBAP application unless user can navigate to the XBAP URL.
Requirements .NET 4.0 or later installed on user computer. .NET 4.0 or later installed on user computer.
Internet Explorer(6.0 or later)