Code Access Security for ClickOnce Applications
ClickOnce applications are based on the .NET Framework and are subject to code access security constraints. For this reason, it is important that you understand the implications of code access security and write your ClickOnce applications accordingly.
Code access security is a mechanism in the .NET Framework that helps limit the access that code has to protected resources and operations. You should always configure the code access security permissions for your ClickOnce application to include only those permissions that your application requires. Visual Studio provides the tools necessary to determine and configure the permission set for your application.
By default, a ClickOnce application receives Full Trust permissions when it is installed or run on a client computer. Although there may be cases in which Full Trust permissions are actually necessary, granting Full Trust permissions usually is not a good idea for two important reasons:
An application that has Full Trust permissions has unrestricted access to resources such as the file system and the registry. This potentially allows your application (and the end user's system) to be exploited by malicious code.
When an application requires Full Trust permissions, the end user will be prompted to grant permissions to the application. This means that the application does not truly provide a ClickOnce experience, and the prompt can potentially be confusing to less experienced users.
When installing an application from removable media such as a CD-ROM, the user is not prompted. In addition, a network administrator can configure network policy so that users are not prompted when they install an application from a trusted source. For more information, see Trusted Application Deployment Overview.
For these reasons, you should always modify the code access security permissions for your application to include only the permissions that your application requires.
You should always configure your ClickOnce application to request only the code access security permissions that it actually needs. You can configure security permissions on the Security page of the Project Designer.
The Security page in the Project Designer contains an Enable ClickOnce Security Settings check box. When this check box is selected, security permission requests are added to the deployment manifest for your application. At installation time, the user will be prompted to grant permissions if the requested permissions exceed the default permissions for the zone from which the application is deployed. For more information, see How to: Enable ClickOnce Security Settings.
Applications deployed from different locations are granted different levels of permissions without prompting. For example, when an application is deployed from the Internet, it receives a highly restrictive set of permissions. When installed from a local Intranet, it receives more permissions, and when installed from a CD-ROM, it receives Full Trust permissions.
As a starting point for configuring permissions, you can select a security zone from the Zone list on the Security page. If your application will potentially be deployed from more than one zone, select the zone with the least permissions. If you want to start without any preset permissions and add the permissions needed by your application one at a time, select the Custom zone.
When a zone is selected, the Permissions list is updated to show the default permissions for that zone; included permissions are indicated by a green check mark. For more information, see How to: Set a Security Zone for a ClickOnce Application.
To further limit permissions, you can select a permission set and modify its properties. For example, if your application has to display a File Open dialog box, the FileDialogPermission set grants the right to display dialog boxes. By default, this permission set enables both File Open and File Save dialog boxes. To modify this, click the FileDialogPermission set, click Properties to open a Permission Settings dialog box, and set the permission to Open Dialog only. For more information, see How to: Set Custom Permissions for a ClickOnce Application.
The properties that can be set vary by permission set; not all permission sets have configurable properties.
You can also exclude permission sets that you do not need, or enable permissions that are not part of a zone's default permissions. You do this by picking a value from the Setting list for the permission set. Permissions that have been modified appear in bold text. If a permission has been enabled and it is not part of the zone default, an information icon is added next to the Included check mark.
Enabling permissions that are not part of a zone default will cause the end user to be prompted as noted earlier in this topic. When you enable additional permissions, you should always modify the permission set to include only the permissions that you actually need.
To effectively configure security permissions, it helps to know exactly which permissions your application requires. You can use the Permission Calculator tool, available from the Security page, to analyze your code and determine the exact permissions that are required by your application.
There are some limitations to the Permission Calculator tool. The tool performs a static analysis of code and cannot determine permissions required for late-bound code or for dynamically loaded assemblies. In addition, if you have designed your application to dynamically modify its permission demands when it is running in an environment with lesser permissions, the tool reports the maximum required permissions.
After the tool has analyzed your application, all required permission sets are set to Enabled and appear in bold text. If an enabled permission is not part of the zone default, it will also be marked with a warning icon. If you want to prevent the end user from being prompted, you should review these to determine whether there is a way to modify your code so that the permission is no longer required.
For more information, see How to: Determine the Permissions for a ClickOnce Application.
As a developer, you most likely run your development computer with Full Trust permissions. Therefore, you do not see the same security exceptions when you debug the application that users may see when they run it with restricted permissions.
In order to catch these exceptions, you have to debug the application with the same permissions as the end user. Debugging with restricted permissions can be enabled on the Security page of the Project Designer.
When you debug an application with restricted permissions, exceptions will be raised for any code security demands that have not been enabled on the Security page. An exception helper will appear, providing suggestions about how to modify your code to prevent the exception.
In addition, when you write code, the IntelliSense feature in the Code Editor will gray out any members that are not included in the security permissions that you have configured.
For more information, see How to: Debug a ClickOnce Application with Restricted Permissions.
Visual Studio provides the following project types for Windows Presentation Foundation (WPF) applications:
WPF Windows Application
WPF Web Browser Application
WPF Custom Control Library
WPF Service Library
Of these project types, only WPF Web Browser Applications are hosted in a Web browser and therefore require special deployment and security settings. The default security settings for these applications are:
Enable ClickOnce Security Settings
This is a partial trust application
Internet zone (with default permission set for WPF Web Browser Applications selected)
In the Advanced Security Settings dialog box, the Debug this application with the selected permission set check box is selected and disabled. This is because Debug In Zone cannot be turned off for browser-hosted applications.
When WPF Web Browser Applications are deployed using ClickOnce, they request a specific set of permissions (stored in the appname.exe.manifest file). These are the default permissions for the code access security Internet zone permission set, in addition to two other permissions:
If you set non-default permissions, Visual Studio will issue a warning stating that the application is configured to demand a non-default permission. Installation will fail unless the security policy has already been pushed to the target computer.