100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
.NET

The Silverlight Plugin and Browser Hosting

How the Silverlight browser plugin was installed, embedded into HTML pages, and extended through out-of-browser and elevated trust modes.

FoundationsIntermediate9 min readJul 10, 2026
Analogies

Overview

A Silverlight application only ran because the user's browser had the Silverlight plugin installed — implemented as an ActiveX control in Internet Explorer and as an NPAPI plugin in Firefox, Safari, and other browsers. The plugin registered itself for the MIME type application/x-silverlight-2 and, once present, any web page could embed a Silverlight app by pointing an HTML <object> element at a .xap file; the plugin then downloaded that package, spun up its own sandboxed CLR instance, and rendered the application's XAML content inside the rectangular region carved out for it on the page.

🏏

Cricket analogy: The Silverlight plugin acting as the required intermediary is like needing a certified umpire present before any match can officially begin, the browser page can set up the stumps, the object tag, but nothing counts until the umpire, the plugin, is on the field and signals play.

Embedding via HTML

The canonical way to embed Silverlight was an <object> element with type='application/x-silverlight-2', containing <param> children for source (the .xap URL), minRuntimeVersion (the minimum plugin version required), autoUpgrade (whether to prompt the user to update an outdated plugin), and optionally background, windowless, and initParams (a comma-delimited string of startup key-value pairs read inside Application_Startup). Internet Explorer additionally recognized a classid attribute for its ActiveX activation path, while other browsers relied on the type attribute alone to trigger the NPAPI plugin.

🏏

Cricket analogy: Setting minRuntimeVersion is like a tournament's playing conditions specifying the minimum-grade ball and pitch certification required before a match is sanctioned, if the ground doesn't meet that version, officials trigger an upgrade process before play can proceed.

The Silverlight.js Helper

Rather than hand-writing the <object> markup, most real projects used the Silverlight.js helper script Visual Studio generated, calling Silverlight.createObjectEx (or the newer Silverlight.createObject) with a JavaScript options object specifying source, parentElement, id, properties (like width/height/background), and events (onLoad, onError). This helper also handled detecting whether the plugin was installed at all and, if not, rendering a fallback 'Get Microsoft Silverlight' badge with an install link, giving developers a single JavaScript API instead of juggling raw object/param markup and version-detection logic by hand.

🏏

Cricket analogy: Silverlight.js handling plugin detection and install prompts is like a stadium's automated turnstile system checking a fan's ticket and, if invalid, redirecting them to the box office to buy one, rather than making every gate attendant manually verify credentials.

Out-of-Browser and Elevated Trust

Starting with Silverlight 3, users could right-click a running application and choose 'Install this application onto this computer' (if the app opted in via AppManifest.xaml's <OutOfBrowserSettings>), which copied the .xap locally and created a desktop/Start Menu shortcut launching it in its own chromeless or windowed host outside any browser. Silverlight 4 extended this with 'elevated trust' for out-of-browser apps signed with a valid certificate, granting access to local file system paths (via a folder picker or well-known folders), COM automation (for Office interop on Windows), and other capabilities unavailable to standard in-browser or non-trusted OOB apps.

🏏

Cricket analogy: Installing a Silverlight app out-of-browser is like a touring cricketer being granted permanent residency status after years on tour, elevated trust then being like that resident finally being cleared to captain the national side with full team access.

html
<div id="silverlightControlHost">
  <object data="data:application/x-silverlight-2," type="application/x-silverlight-2"
          width="100%" height="100%">
    <param name="source" value="ClientBin/MyApp.xap"/>
    <param name="minRuntimeVersion" value="5.0.61118.0"/>
    <param name="autoUpgrade" value="true"/>
    <param name="initParams" value="userId=42,theme=dark"/>
    <a href="http://go.microsoft.com/fwlink/?LinkID=149156" style="text-decoration:none">
      <img src="http://go.microsoft.com/fwlink/?LinkId=161376"
           alt="Get Microsoft Silverlight" style="border-style:none"/>
    </a>
  </object>
</div>

The Silverlight plugin registered the MIME type application/x-silverlight-2. Internet Explorer additionally recognized the ActiveX classid; other browsers activated the plugin purely via the object's type attribute through their NPAPI plugin architecture.

  • Silverlight only ran through a browser plugin implemented as ActiveX (IE) or NPAPI (other browsers).
  • Apps were embedded via an HTML <object> element pointing to a .xap file, with <param> tags for configuration.
  • Key params included source, minRuntimeVersion, autoUpgrade, and initParams for startup key-value data.
  • The Silverlight.js helper (Silverlight.createObjectEx) simplified embedding and handled plugin-detection fallback.
  • Out-of-browser (OOB) mode let users install an app locally with its own shortcut, launching outside the browser.
  • Elevated trust (Silverlight 4+) required a signed certificate and granted expanded file system and COM access.
  • Standard in-browser apps remained sandboxed with no direct file system or COM access by default.

Practice what you learned

Was this page helpful?

Topics covered

#NET#SilverlightStudyNotes#MicrosoftTechnologies#TheSilverlightPluginAndBrowserHosting#Silverlight#Plugin#Browser#Hosting#StudyNotes#SkillVeris