Delegate security differs between versions of the .NET Framework. This section describes the different delegate behaviors and associated security considerations.
In version 1.0 and 1.1 of the .NET Framework
Version 1.0 and 1.1 of the .NET Framework perform the following security actions against a delegate creator and a delegate caller.
When a delegate is created, security link demands on the delegate target method are performed against the grant set of the delegate creator. Failure to satisfy the security action results in a.
When the delegate is invoked, any existing security demands on the delegate caller are performed.
Whenever your code takes delegates from less-trusted code that might call it, make sure that you are not enabling the less-trusted code to escalate its permissions. If you take a delegate and use it later, the code that created the delegate is not on the call stack and its permissions will not be tested if code in or under the delegate attempts a protected operation. If your code and the caller code have higher privileges than the creator, the creator can orchestrate the call path without being part of the call stack.
To address this issue, you can either limit your callers (by requiring a permission, for example) or restrict permissions under which the delegate can execute (by using a Deny or PermitOnly stack override, for example).
In version 2.0 and later of the .NET Framework
Unlike previous versions, version 2.0 of the .NET Framework performs security action against the delegate creator when the delegate is created and called.
When a delegate is created, security link demands on the delegate target method are performed against the grant set of the delegate creator. Failure to satisfy the security action results in a SecurityException.
The delegate creator's grant set is also captured during delegate creation and stored with the delegate.
When the delegate is invoked, the delegate creator's captured grant set is first evaluated against any demands in the current context if the delegate creator and caller belong to different assemblies. Next, any existing security demands on the delegate caller are performed.