I've recently been looking a lot into Silverlight and into how tomorrow's business applications might look like. In this process, I've come across a well known limitation of Silverlight 4's out-of-browser support: Even in elevated scenarios, the application can only access files in the "My *"-Folders (My Documents, etc.). This struck me as rather odd as - at the same time - full COM access is possible.

The reason this struck me as odd is that one could easily use a COM component to perform the work:

public static void WriteToFile(byte[] buffer, string fileName)
{
  if (!(App.Current.IsRunningOutOfBrowser && ComAutomationFactory.IsAvailable))
  {
    throw new Exception("This functionality only works OOB with elevated permissions");
  }

  string tmpFile = null;

  do
  {
    Guid id = Guid.NewGuid();
    tmpFile = Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments) + "\\" + id;
  } while (File.Exists(tmpFile));

  using (Stream st = File.Create(tmpFile))
  {
    st.Write(buffer, 0, buffer.Length);
  }

  dynamic fso = ComAutomationFactory.CreateObject("Scripting.FileSystemObject");
  dynamic file = fso.GetFile(tmpFile);
  file.Copy(fileName);

  File.Delete(tmpFile);
}

Please note that this is not a security vulnerability: it's just how COM has worked forever. I would just like to ask for the removal of the "My *"-folder limitation as it doesn't really increase security, but makes ugly workarounds like the one presented above necessary.