PRB: Security Exception When You Use Event Handlers in Internet Explorer

Article translations Article translations
Article ID: 316510 - View products that this article applies to.
This article was previously published under Q316510
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

On This Page

SYMPTOMS

You may receive a SecurityException error under the following circumstances:
  • You use a custom .NET Windows Forms control that exposes managed events to Internet Explorer through ActiveX sourcing.
  • You use a Web page that consumes the control and handles events.
  • You use the following code to enable security on the control:
    caspol -s on
    						
Note: The control works as expected if you use the following code to disable security:
caspol -s off
				

RESOLUTION

On any client system, use the .NET Framework Configuration tool (Mscorcfg.msc) to grant the required, individual permissions to the assembly.

Create a permission set with the following minimum settings:
  • Security:
    • Enable assembly execution for permission for the code to run. Without this permission, managed code cannot run.
    • Allow calls to unmanaged assemblies. Because unmanaged code potentially permits other permissions to be bypassed, this is a dangerous permission that must only be granted to highly trusted code. It is used for such applications as calling native code using Platform Invokation Services (PInvoke) or using COM Interop.
  • User Interface:
    • Allow permission to use windows that are limited to safe, top-level windows or safe subwindows.
  • Web Access:
    • Grant the assemblies access to connect with resources. Give the URL to the assembly.
You can associate a permission set with your control if you define a code group that keys off evidence that is specific to your control, such as its strong name. To create a new code group, follow these steps:
  1. In the .NET Framework Configuration dialog box, click the Code Groups node under the Enterprise node, the Machine node, or the User policy.
  2. Right-click the All_Code node, and then click New.
For more information about permission sets and code groups, see the "References" section.

STATUS

Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

Steps to Reproduce the Behavior

To create a custom Windows Forms control, follow these steps:
  1. Start Microsoft Visual Studio .NET.
  2. On the File menu, point to New, and then click Project.
  3. In the New Project dialog box, click Visual C# Projects under Project Types, and then click Windows Control Library under Templates.
  4. Copy and then paste the following code into the control window:
    using System;
       using System.ComponentModel;
       using System.Drawing;
       using System.Windows.Forms;
       using System.Runtime.InteropServices;
    
       namespace ActiveXSourcing
       {
       	public delegate void ClickEventHandler(int x, int y); 
    
            // Source interface for events to be exposed
       	// Add GuidAttribute to the source interface to supply an explicit System.Guid.
       	// Add InterfaceTypeAttribute to indicate that interface is the IDispatch interface.
    
    [System.Runtime.InteropServices.GuidAttribute("0422D916-C11A-474e-947D-45A107038D12") ]
    
    [System.Runtime.InteropServices.InterfaceTypeAttribute(System.Runtime.InteropServices.ComInterfaceType.InterfaceIsIDispatch)]
           public interface ControlEvents 
    
       	// Add a DisIdAttribute to any members in the source interface to         // specify the COM DispId.
           {
               [System.Runtime.InteropServices.DispIdAttribute(0x60020000)]
               void ClickEvent(int x, int y);
           }
    
           // Add a ComSourceInterfaces attribute to the control to identify        //the list of interfaces that are exposed as COM event sources. 
    
    [System.Runtime.InteropServices.ClassInterface(System.Runtime.InteropServices.ClassInterfaceType.None),System.Runtime.InteropServices.ComSourceInterfaces(typeof(ControlEvents))]
       	public class MyWindowControl : System.Windows.Forms.UserControl //, ComInteropControlInterface
           {
               
       		System.Windows.Forms.TextBox tx = new TextBox();
    
       		private void InitializeComponent()
       		{
       			
       			this.Name = "MyWindowControl";
    
       		}
       	
                event ActiveXSourcing.ClickEventHandler ClickEvent;
           	
           	public MyWindowControl() : base()
           	{				               
    
                       initMyWindowControl();
    
           	}
               
               private void initMyWindowControl() 
           	{
    
                   Size = new System.Drawing.Size(300, 50);
       			tx.Text = "Click the text box to invoke  'ClickEvent'";
                   tx.Size = this.Size;                  
                   tx.Click += new System.EventHandler(ClickHandler);
       			this.Controls.Add(tx);
       			
           	}
                   
               
               private void ClickHandler(object sender, System.EventArgs e)
               {
                   if (ClickEvent != null) {
                       ClickEvent(0, 0);
                   }
               }
       	}
       }
    
    					
  5. Create a test Hypertext Markup Language (HTML) page to hook the event. Sample HTML page:
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
       <META HTTP-EQUIV='Content-Type' CONTENT='text/html; charset=iso-8859-1' />
    
       <HTML>
       	<HEAD>
       		<TITLE>Sink managed event in Internet Explorer</TITLE>
       		
       		
       	</HEAD>
       	
       	<BODY>
       		
       		<OBJECT id="ctrl" classid="YourDllName.dll#ActiveXSourcing.MyWindowControl">
       		</OBJECT>
       		<SCRIPT LANGUAGE="JScript">
                   function ctrl::ClickEvent(a,b)
                   {
                       alert("MyWindowControl_ClickEvent");
                   }
       		</SCRIPT>
       		
       	</BODY>
       </HTML>
    
    
    					
  6. Compile the control as a dynamic-link library (DLL).
  7. Use the following code to disable the security on the control:
    caspol -s off
    Test the control. Notice that the control works as expected.
  8. Use the following code to enable the security on the control:
    caspol -s on
    Test the control. Notice that you receive a SecurityException error.

REFERENCES

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
313891 HOW TO: Sink Managed C# Events in Internet Explorer Script
For more information, visit the following Microsoft Web sites:
Code Access Security Policy Tool (Caspol.exe)
http://msdn2.microsoft.com/en-us/library/cb6t8dtz(vs.71).aspx?frame=true

Handling and Raising Events
http://msdn2.microsoft.com/en-us/library/edzehd2t(vs.71).aspx

.NET Framework Configuration Tool
http://msdn2.microsoft.com/en-us/library/2bc0cxhc(vs.71).aspx

Interoperating with Unmanaged Code
http://msdn2.microsoft.com/en-us/library/sd10k43k(vs.71).aspx

Properties

Article ID: 316510 - Last Review: February 28, 2014 - Revision: 6.5
APPLIES TO
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer (Programming) 6.0
  • Microsoft .NET Framework 1.1
  • Microsoft .NET Framework 1.0
Keywords: 
kbnosurvey kbarchive kbbug kbsecurity kbctrl kbevent kbpending KB316510

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com