How to provide extra trust for an Internet Explorer hosted assembly

have created a windows library control that accesses a local sql database

Tayfun KAPUSUZ — Thu, 29 Jan 2009 19:00:20 GMT

have created a windows library control that accesses a local sql database

I tried the following strings for connecting

Dim connectionString As String = "Data Source=localhost\SQLEXPRESS;Initial Catalog=TimeSheet;Trusted_Connection = true"

Dim connectionString As String = "Data Source=localhost\SQLEXPRESS;Initial Catalog=TimeSheet;Integrated Security=SSPI"

I am not running the webpage in a virtual directory but in

C:\Inetpub\wwwroot\usercontrol

and I have a simple index.html that tries to read from an sql db but throws

the error

System.Security.SecurityException: Request for the permission of type 'System.Data.SqlClient.SqlClientPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet)

at System.Security.PermissionSet.Demand()

at System.Data.Common.DbConnectionOptions.DemandPermission()

at System.Data.SqlClient.SqlConnection.PermissionDemand()

at System.Data.SqlClient.SqlConnectionFactory.PermissionDemand(DbConnection outerConnection)

at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection,

etc etc

The action that failed was:

Demand

The type of the first permission that failed was:

System.Data.SqlClient.SqlClientPermission

The Zone of the assembly that failed was:

Trusted

I looked into the .net config utility but it says unrestricted and I tried adding it to the trusted internet zones in ie options security

I think that a windows form connecting to a sql database running in a webpage should be simple

to configure what am I missing?

re: How to provide extra trust for an Internet Explorer hosted assembly

IvanK — Fri, 11 May 2007 01:15:07 GMT

I have a .NET control hosted in IE, which uses WSE2 (Microsoft.Web.Services2.dll) to connect back to the server and download files which are later loaded into MS Office applications (Excel, Word, Outlook).

WSE2 requires FullTrust and does not trust partially trusted callers.

My solution so far is to set a URL/Site based policy entry, which grants FullTrust.

The problem is - how to deploy this policy with minimum client involvement?

1. Provide the power users with a document, which describes for them how to do the change using .NET Framework Configuration tool.

Problem – too much user involvement and .NET 2.0 doesn’t even come with Configuration tool (you have to install the SDK to get it – that’s way too much to ask from the end user)

2. The built-in tools - The msi file, generated by the Framework Configuration Tool simply replaces the whole policy instead of only updating it.

Problem - while this might be considered somewhat OK for well established enterprise-wide situations - it's completely ridiculous each policy “update” to wipe out everything else at that level. On top of that it seems that the msi toggles between install and uninstall no matter how it’s called. Also with the generated msi, there’s no way to change the URL/Site which is different for every client we have.

3. To deal with the above situation, I wrote an ActiveX control, which again is launched from a page to set the required .NET CAS permissions. As long as the user has enough Windows permissions and ActiveX controls are allowed, it doesn’t need anything else to “update” the .NET security policy (for the highest CLR version it finds on the machine). This worked just fine in XP...Then Vista came along…and ActiveX basically lost that ability. It’s signed, marked safe for Scripting and Initialization, but I don’t know of any way for the ActiveX to request elevated Windows permissions to run caspol.exe in order to update the policy. In an exe, I can embed a manifest and require admin rights. Then at runtime Vista will prompt for rights elevation if the user can in fact obtain them.

Problem - how can I do the same an ActiveX?

re: How to provide extra trust for an Internet Explorer hosted assembly

shawnfa — Thu, 29 Mar 2007 20:35:28 GMT

That behavior is from the Windows Forms classes, which I believe (but am not 100% sure) base it upon the zone of the form rather than the trust level of the form.

You could try asking over in the WinForms group on the MSDN forums, where someone who is better versed in WinForms could provide a more authoratitive answer.

-Shawn

re: How to provide extra trust for an Internet Explorer hosted assembly

rpt2k — Fri, 16 Mar 2007 23:45:07 GMT

First of all Thank you for maintaing this blog. This is very usefull and informative. There is very little (if any) documentation available on this issue. Here is my situation. I have a user control which I am hosting in IE. This is signed using a strong name. I have created a new CodeGroup and the membership condition is the publik key part of the strong name. Everything works fine in both the Intranet and Internet zone in IE. Except, when a modal form pops up in the Internet Zone, it has a .NET security warning bubble associated with it, warning not to enter password and other stuff on the dialog. ( The form/dialog does not have any textboxes on it). This does not happen in Intranet zone. I am confused as to the behaviour. I will really appreciate your input/suggestions for resolving this issue.

Thanks much.

re: How to provide extra trust for an Internet Explorer hosted assembly

shawnfa — Fri, 09 Mar 2007 21:11:33 GMT

Hi Laca,

You can't do this without modifying anything on the client machine. (Think of how much malware would love to be able to elevate on client machines!).

In Orcas there is a feature that allows controls to carry a manifest which states it needs to be trusted, and if that manifest is signed by a trusted publisher (you'll have to push the trusted publisher down to client machines), then it will run with the requested permissions.

-Shawn

re: How to provide extra trust for an Internet Explorer hosted assembly

shawnfa — Fri, 09 Mar 2007 21:09:50 GMT

Hi Alvin,

I'm not sure I entirely understand your points. ClickOnce aside (it's not really the same thing -- it allows for installing applciations locally, whereas we're talking about hosting a control in a web page here), let me look at your other points.

You don't have to elevate a Zone, Site, or URL to get this scenario to work. I totally agree that elevating a zone is almost certainly the wrong way to go. You can use StrongName or Publisher evience to elevate your control, however that means the AppDomain itself will not be trusted. To solve this, you can place Asserts at the entry points of your control so that demands never hit the AppDomain boundary.

-Shawn

re: How to provide extra trust for an Internet Explorer hosted assembly

Alvin Bruney — Fri, 09 Mar 2007 18:26:09 GMT

I'm annoyed at the fact that there is no viable solution for this at the enterprise level today. Orcas isn't out yet. Clickonce has its issues. On a fundamental level, elevating the code trust for a site, url or zone in order to have a usercontrol run flies in the face of security. It is just as bad as running an ActiveX because a site, zone or url receives more permissions than it requires. Roll that out to the enterprise and it opens up a massive hole ripe for hacking. What do we do TODAY to make this work in a way that is safe for an enterprise? The *solutions* provided are bandaids that do not address the underlying issue. I'm not referring to this within the context of one or two desktops, i'm putting this in the context of a government or large instituion with hundreds of thousands of client machines. You can't reasonably expect to raise the permissions of a site, zone or url to full trust? Or did i take a wrong turn somewhere?

Specifying Permissions for IE Controls in Orcas

.Net Security Blog — Thu, 08 Mar 2007 02:07:58 GMT

One of my most read blog posts (and one of the reasons I created this blog in the first place -- to answer

Specifying Permissions for IE Controls in Orcas

RSS It All — Wed, 07 Mar 2007 22:47:40 GMT

One of my most read blog posts (and one of the reasons I created this blog in the first place -- to answer

re: How to provide extra trust for an Internet Explorer hosted assembly

Laca — Wed, 07 Mar 2007 16:33:21 GMT

Hi.

I want to use a .net object in IE. (Directoryservices)

Can I give full-trust to it? Without modifying anything on client machine.

Maybe with a certificate or a popup at the client, that he gives full trust to this activex.

Thanks Laszlo.