« August 2004 | Main | October 2004 »

Downloaded .NET Controls reqiure Full Trust

Posted by: David Carroll

.NET Framework Assemblies Marked with AllowPartiallyTrustedCallersAttribute  Lists the framework assemblies which allow calls from downloaded code. All others have an explicit demand for "Full Trust".

Noel Fouts, a co-worker of mine and a good friend, was investigating this issue related to some .NET WinForm controls we are using in some of our applications. He sent out the following email as a summary of his findings. It is an excellent summary of why our controls required "Full Trust."

I have conducted quite a bit of testing on our client side .Net code and thought I would share my research.

Evidence Testing - Evidence is what the .NET Framework uses to identify the code that is about to run. You create an evidence policy to link to a set of permissions to grant your code.

For downloaded exes and their dependencies all types of evidence is supported. This includes a Strongname. The customer can use the Strongname we sign our code with to identify our code. This would only work for Tranproc because it is an exe.

For hosted user controls only "Site" and "URL" types of evidence are supported. For URL, only the "http:/sitename/directory/*" format is supported. You cannot reference a specific assembly in the URL. You must use an asterick.

Permission Testing - Permissions are the rights the code is granted. Some code requires the "Full Trust" permission because it calls other libraries that do not have the "Allow Partially Trusted Callers" bit set. Any downloaded code or code that calls unmanaged code is considered "Partially Trusted."

In Framework 1.1 when code is downloaded from a URL it has some minimal rights. (1.0 gave no intial rights) Additionaly rights can be granted in situations where the code is calling other assemblies that have the "Allow Partially Trusted Callers" bit set to true. If it calls any code with that bit set to false it requires the "Full Trust" permission.

Any code that inherits from System.Windows.Forms.Usercontrol requires "Full Trust." This is true for all of Winforms and most of Tranproc. Full control is also required for those time when we use the "AxSHDocVw.dll" library to run a web browser window. This is true for several cases in both Winforms and Tranproc.

Deployment - Some .NET code can be deployed from a URL and some can be deployed to a users workstation.

The Tranproc.exe can be pre deployed to a users workstation. It can be launched from their hard drive via a "file:///” url, however the user will get a File Open/Save dialog box.

WinForm controls cannot be preinstalled. They are not an executable therefore they cannot be launched from an "" anchor tag. They are hosted by IE and IE as a security measure will not launch the container control found in the CLASSID of the Object tag from the permant GAC or the harddrive. You can however preinstall any depency assemblies in the GAC and they will load if they have been granted the correct permissions. To reiterate though, the main control that the webpage hosts cannot be loaded from the users GAC.

I hope this is helpful.


The most suprising thing to me is the requirement that all winform controls which inherit from UserControl have "FullTrust" in order to run. That seems to defeat the pitch that .NET is much safer than ActiveX controls. It means you really have to explain well the Evidence Based part which allows your machine to trust code only from this site as if it were part of your local machine. I think that if you can get this across in your pitch to a client who is at first resistant to any downloaded controls, they will accept it.