After unzipping a .XAP file, review the .XAML manifest file's 'deployment' section for an attribute and value: ExternalCallersFromCrossDomain="ScriptableOnly" When the attribute is set to ScriptableOnly, the host's native JavaScript can only access scriptable objects that the Silverlight application code registers with the runtime. The ExternalCallersFromCrossDomain attribute accepts two values: ScriptableOnly and NoAccess. The ScriptableOnly value will allow a cross-domain .xap file to programmatically call any scriptable objects that are explicitly exposed by the application. ##### SEVERITY ##### Low Note: Severity depends on the ##### PREREQUISITE ##### None ##### MITIGATION ##### Note that if the Silverlight's clientaccesspolicy is not configured to allow cross-domain access, then this check won't apply. However the existence of this setting still deserves an alert. When the ExternalCallersFromCrossDomain attribute is set to NoAccess, scriptable entry points and creatable types are not available to JavaScript or DOM through Content and createObject ##### EXAMPLE ##### An example of the XAML content to review would be: <Deployment xmlns="http://schemas.microsoft.com/client/2007" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" EntryPointAssembly="MyAppAssembly" EntryPointType="MyNamespace.MyApplication" ExternalCallersFromCrossDomain="ScriptableOnly" > <Deployment.Parts> <AssemblyPart Source="MyAppAssembly.dll” /> <AssemblyPart Source="MyUserControl.dll" /> </Deployment.Parts> </Deployment> ##### REFERENCES ##### Security Settings in HTML Bridge at http://msdn.microsoft.com/en-us/library/cc645023(VS.95).aspx