100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
.NET

Silverlight Deployment and XAP Files

How Silverlight applications are packaged into .xap files, built with MSBuild, hosted on a web server, and optionally installed as out-of-browser desktop apps.

Deployment and SecurityIntermediate9 min readJul 10, 2026
Analogies

What Is a XAP File?

A Silverlight application compiles down to a single .xap file, which is really just a renamed ZIP archive holding your compiled assembly DLLs, an AppManifest.xaml manifest that lists entry points and referenced assemblies, and any embedded resources such as images, fonts, or XML data files. The browser downloads this one package, the Silverlight plugin unzips it in memory, and the in-browser CLR loads the assemblies to run your app.

🏏

Cricket analogy: Think of a XAP file like a cricket team's full kit bag shipped to an away match: bats, pads, gloves and the team sheet all packed into one container so nothing is missing when Virat Kohli's side arrives at the ground.

Building and Packaging with Visual Studio and MSBuild

When you build a Silverlight project in Visual Studio, MSBuild compiles your C# or VB.NET code and XAML into a primary assembly DLL, then invokes the Silverlight build targets to zip that assembly together with the AppManifest.xaml and any content files marked as Resource or Content into the .xap, which is dropped into the project's ClientBin folder. The AssemblyInfo.cs version number and any referenced satellite assemblies for localization also ride along inside the same package.

🏏

Cricket analogy: This is like a groundstaff preparing a Test match pitch: the roller, the pitch report, and the weather forecast all get finalized together the night before so the umpires have one complete package at toss time.

xml
<!-- AppManifest.xaml embedded inside the .xap package -->
<Deployment xmlns="http://schemas.microsoft.com/client/2007/deployment"
            xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
            EntryPointAssembly="MyStoreFront"
            EntryPointType="MyStoreFront.App"
            RuntimeVersion="5.1.50907.0">
  <Deployment.Parts>
    <AssemblyPart x:Name="MyStoreFront" Source="MyStoreFront.dll" />
    <AssemblyPart x:Name="System.Windows.Controls.Data" Source="System.Windows.Controls.Data.dll" />
  </Deployment.Parts>
</Deployment>

Hosting and Deploying the XAP on a Web Server

Deploying a Silverlight app means copying the .xap file to your web server and embedding an <object> tag referencing it via the source param, typically pointing at ClientBin/MyApp.xap. The critical, easy-to-miss step is registering application/x-silverlight-app as a MIME type on the web server; IIS 6 and many Apache configs did not ship with this mapping by default, so a misconfigured server would serve the .xap with the wrong content type and the plugin would silently refuse to load it.

🏏

Cricket analogy: It's like a broadcaster forgetting to register the correct satellite feed frequency for a World Cup final — the signal is there, but no receiver box is configured to decode it, so viewers see a blank screen.

Common deployment gotcha: on IIS, add a MIME type mapping for the .xap extension to application/x-silverlight-app in the site or server configuration. Without it, requests for the .xap return a 404 or are served as octet-stream, and the Silverlight plugin fails to initialize with no obvious error in the browser UI.

Versioning, Caching, and Out-of-Browser Deployment

Because browsers aggressively cache static files, teams commonly append a version query string like MyApp.xap?v=1.4.2 to the <object> source param so updated builds are fetched instead of a stale cached copy. Silverlight also supported out-of-browser (OOB) deployment, where a user right-clicks the running application and selects 'Install this application onto this computer,' which installs a desktop shortcut that launches the same XAP outside the browser chrome, optionally with elevated trust for local file system and COM access.

🏏

Cricket analogy: It's like the ICC releasing an updated DRS software build before a series and making sure every stadium's system pulls the new version rather than running last year's cached build during a crucial LBW review.

Elevated-trust out-of-browser applications can read and write the local file system and invoke COM objects, which meaningfully widens the attack surface. Only enable elevated trust for applications you fully control and distribute through a trusted channel, since a compromised elevated-trust XAP behaves much like a traditional desktop executable rather than a sandboxed web app.

  • A .xap file is a ZIP archive containing compiled assemblies, AppManifest.xaml, and embedded resources.
  • MSBuild produces the .xap in the ClientBin folder during a normal Visual Studio build.
  • The web server must map the .xap extension to the application/x-silverlight-app MIME type or the plugin fails to load it.
  • Version query strings on the <object> source param prevent browsers from serving stale cached XAP builds.
  • Out-of-browser (OOB) deployment installs a desktop shortcut that runs the same XAP outside the browser chrome.
  • Elevated trust for OOB apps grants file system and COM access but significantly increases security risk.
  • AppManifest.xaml declares the entry point assembly, entry point type, and required runtime version.

Practice what you learned

Was this page helpful?

Topics covered

#NET#SilverlightStudyNotes#MicrosoftTechnologies#SilverlightDeploymentAndXAPFiles#Silverlight#Deployment#XAP#Files#DevOps#StudyNotes#SkillVeris