Updated: April 2011
Specifies whether assemblies from remote sources should be granted full trust.
If you were directed to this topic because of an error message in the Visual Studio project error list or a build error, see How to: Use an Assembly from the Web in Visual Studio.
The following sections describe attributes, child elements, and parent elements.
Specifies whether an assembly that is loaded from remote sources should be granted full trust.
Do not grant full trust to applications from remote sources. This is the default.
Grant full trust to applications from remote sources.
The root element in every configuration file used by the common language runtime and .NET Framework applications.
Contains information about runtime initialization options.
In the .NET Framework version 3.5 and earlier versions, if you loaded an assembly from a remote location, the assembly would run partially trusted with a grant set that depended on the zone in which it was loaded. For example, if you loaded an assembly from a website, it was loaded into the Internet zone and granted the Internet permission set. In other words, it executed in an Internet sandbox. If you try to run that assembly in the .NET Framework version 4 and later versions, an exception is thrown; you must either explicitly create a sandbox for the assembly (see How to: Run Partially Trusted Code in a Sandbox), or run it in full trust.
The <loadFromRemoteSources> element lets you specify that the assemblies that would have run partially trusted in earlier versions of the .NET Framework are to be run fully trusted in the .NET Framework 4 and later versions. By default, remote assemblies do not run in the .NET Framework 4 and later. To run a remote assembly, you must either run it as fully trusted or create a sandboxed AppDomain in which to run it.
In the .NET Framework 4.5, assemblies on local network shares are run as full trust by default; you do not have to enable the <loadFromRemoteSources> element.
If an application has been copied from the web, it is flagged by Windows as being a web application, even if it resides on the local computer. You can change that designation by changing the file properties, or you can use the <loadFromRemoteSources> element to grant the assembly full trust. As an alternative, you can use the UnsafeLoadFrom method to load a local assembly that the operating system has flagged as having been loaded from the web.
The enabled attribute for this element is effective only when code access security (CAS) is disabled. By default, CAS policy is disabled in the .NET Framework 4 and later versions. If you set enabled to true, remote applications are granted full trust.
If <loadFromRemoteSources> enabled is not set to true, an exception is thrown under the following conditions:
The sandboxing behavior of the current domain is different from its behavior in the .NET Framework 3.5. This requires CAS policy to be disabled, and the current domain not to be sandboxed.
The assembly being loaded is not from the MyComputer zone.
You may get a FileLoadException in a Windows Virtual PC application when you try to load a file from linked folders on the hosting computer. This error may also occur when you try to load a file from a folder linked over Remote Desktop Services (Terminal Services). To avoid the exception, set enabled to true.
Setting the <loadFromRemoteSources> element to true prevents this exception from being thrown. It enables you to specify that you are not relying on the common language runtime to sandbox the loaded assemblies for security, and that they can be allowed to execute as full trust.
If the assembly should not run in full trust, do not set this configuration element. Instead, create a sandboxed AppDomain in which to load the assembly.
This element is typically used in the application configuration file, but can be used in other configuration files depending upon the context. For more information, see the article More Implicit Uses of CAS Policy: loadFromRemoteSources in the .NET Security blog.
The following example shows how to grant full trust to applications from remote sources.
<configuration> <runtime> <loadFromRemoteSources enabled="true"/> </runtime> </configuration>