.NET client vs. ActiveX (or another approach?)

Question

Does anyone have any white papers or articles that would compare and contrast a web architecture where a .NET client component is required and the options being considered are ActiveX or a .Net component solution?

I have a customer that wants to architecturally recommend a .Net client approach over Active X. However, there are some strong opinions for ActiveX. What I would like to do is gather more background and industry support for our direction.

I personally would not recommend that anybody write an ActiveX component any more. If they are in need on enhanced features in the browser deployment model, I would generally recommend using WPF via XBAP or writing a Silverlight application. Ideally, I'd like to have a conversation about the pros / cons of standard web, augmented web (silverlight), or platform optimized (WPF).

Is this something you guys can help point us in the right direction? Any thoughts?

Answer 1

I wrote about this in 2007 - it's still applicable today - although I am seeing a great amount of interest in using Silverlight for Line Of Business applications lately.

• When to Use Which Microsoft Presentation Technology

• More Details on When to Use Which Presentation Technology

Answer 2

Security is often your strongest selling point. XBAP applications always run in a sandbox, where ActiveX does not.

I found the following microsoft blog entry: XBAP = next-generation ActiveX? to be helpful.

Answer 3

Great links above. I'd like to clarify that though XBAPs and ClickOnce apps run in a sandbox by default, they can be elevated to higher trust. This is trickier to do with XBAP as it requires a Code Access Security policy to exist on the customers machine and there is no easy way to get it there (other than a web-launched MSI which defeats the purpose).

Click-Once applications can specify that they need elevated privileges in the manifest (this is done in project settings). When the application is first launched, if the app needs more privileges than the default zone (usually Internet) the user is prompted and warned but they can approve the elevated rights.

Silverlight runs in a secure sandbox only with no way to elevate. There is a secure way to access local storage but there is no way to interact directly with other hardware like USB devices. Silverlight is great for (nearly) zero-touch application deployment, so long as the application can live within the security and feature boundaries that Silverlight provides. Silverlight does continue to evolve however, and those boundaries continue to expend. With the Live Framework, for example, we can now run Silverlight applications outside of the browser on the desktop in offline mode with data synchronization. I've got a screencast about that on channel 9.

I too would avoid ActiveX unless you just can't fit what you need in one of these other profiles. ActiveX is getting more and more restricted with every browser release and it's a lot harder to control and a lot less secure than the alternatives. ActiveX can be a management headache for IT Pros, which in turn makes it more of challenge to get your app deployed in an enterprise.

Hope that helps and good luck with your project.