This documentation is archived and is not being maintained.


Whenever your code takes delegates from less-trusted code that might call it, make sure that you are not enabling the less-trusted code to escalate its permissions. If you take a delegate and use it later, the code that created the delegate is not on the call stack and its permissions will not be tested if code in or under the delegate attempts a protected operation. If your code and the delegate code have higher privileges than the caller, the caller can orchestrate the call path without being part of the call stack.

To address this issue, you can either limit your callers (by requiring a permission, for example) or restrict permissions under which the delegate can execute (by using a Deny or PermitOnly stack override, for example).

See Also

Secure Coding Guidelines