PRB: Security Exception When You Use Event Handlers in Internet Explorer

This article was previously published under Q316510
This article has been archived. It is offered "as is" and will no longer be updated.
You may receive a SecurityException error under the following circumstances:
  • You use a custom .NET Windows Forms control that exposes managed events to Internet Explorer through ActiveX sourcing.
  • You use a Web page that consumes the control and handles events.
  • You use the following code to enable security on the control:
    caspol -s on						
Note: The control works as expected if you use the following code to disable security:
caspol -s off				
On any client system, use the .NET Framework Configuration tool (Mscorcfg.msc) to grant the required, individual permissions to the assembly.

Create a permission set with the following minimum settings:
  • Security:
    • Enable assembly execution for permission for the code to run. Without this permission, managed code cannot run.
    • Allow calls to unmanaged assemblies. Because unmanaged code potentially permits other permissions to be bypassed, this is a dangerous permission that must only be granted to highly trusted code. It is used for such applications as calling native code using Platform Invokation Services (PInvoke) or using COM Interop.
  • User Interface:
    • Allow permission to use windows that are limited to safe, top-level windows or safe subwindows.
  • Web Access:
    • Grant the assemblies access to connect with resources. Give the URL to the assembly.
You can associate a permission set with your control if you define a code group that keys off evidence that is specific to your control, such as its strong name. To create a new code group, follow these steps:
  1. In the .NET Framework Configuration dialog box, click the Code Groups node under the Enterprise node, the Machine node, or the User policy.
  2. Right-click the All_Code node, and then click New.
For more information about permission sets and code groups, see the "References" section.
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.

Steps to Reproduce the Behavior

To create a custom Windows Forms control, follow these steps:
  1. Start Microsoft Visual Studio .NET.
  2. On the File menu, point to New, and then click Project.
  3. In the New Project dialog box, click Visual C# Projects under Project Types, and then click Windows Control Library under Templates.
  4. Copy and then paste the following code into the control window:
    using System;   using System.ComponentModel;   using System.Drawing;   using System.Windows.Forms;   using System.Runtime.InteropServices;   namespace ActiveXSourcing   {   	public delegate void ClickEventHandler(int x, int y);         // Source interface for events to be exposed   	// Add GuidAttribute to the source interface to supply an explicit System.Guid.   	// Add InterfaceTypeAttribute to indicate that interface is the IDispatch interface.[System.Runtime.InteropServices.GuidAttribute("0422D916-C11A-474e-947D-45A107038D12") ][System.Runtime.InteropServices.InterfaceTypeAttribute(System.Runtime.InteropServices.ComInterfaceType.InterfaceIsIDispatch)]       public interface ControlEvents    	// Add a DisIdAttribute to any members in the source interface to         // specify the COM DispId.       {           [System.Runtime.InteropServices.DispIdAttribute(0x60020000)]           void ClickEvent(int x, int y);       }       // Add a ComSourceInterfaces attribute to the control to identify        //the list of interfaces that are exposed as COM event sources. [System.Runtime.InteropServices.ClassInterface(System.Runtime.InteropServices.ClassInterfaceType.None),System.Runtime.InteropServices.ComSourceInterfaces(typeof(ControlEvents))]   	public class MyWindowControl : System.Windows.Forms.UserControl //, ComInteropControlInterface       {              		System.Windows.Forms.TextBox tx = new TextBox();   		private void InitializeComponent()   		{   			   			this.Name = "MyWindowControl";   		}   	            event ActiveXSourcing.ClickEventHandler ClickEvent;       	       	public MyWindowControl() : base()       	{				                                  initMyWindowControl();       	}                      private void initMyWindowControl()        	{               Size = new System.Drawing.Size(300, 50);   			tx.Text = "Click the text box to invoke  'ClickEvent'";               tx.Size = this.Size;                                 tx.Click += new System.EventHandler(ClickHandler);   			this.Controls.Add(tx);   			       	}                                     private void ClickHandler(object sender, System.EventArgs e)           {               if (ClickEvent != null) {                   ClickEvent(0, 0);               }           }   	}   }					
  5. Create a test Hypertext Markup Language (HTML) page to hook the event. Sample HTML page:
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">   <META HTTP-EQUIV='Content-Type' CONTENT='text/html; charset=iso-8859-1' />   <HTML>   	<HEAD>   		<TITLE>Sink managed event in Internet Explorer</TITLE>   		   		   	</HEAD>   	   	<BODY>   		   		<OBJECT id="ctrl" classid="YourDllName.dll#ActiveXSourcing.MyWindowControl">   		</OBJECT>   		<SCRIPT LANGUAGE="JScript">               function ctrl::ClickEvent(a,b)               {                   alert("MyWindowControl_ClickEvent");               }   		</SCRIPT>   		   	</BODY>   </HTML>					
  6. Compile the control as a dynamic-link library (DLL).
  7. Use the following code to disable the security on the control:
    caspol -s off
    Test the control. Notice that the control works as expected.
  8. Use the following code to enable the security on the control:
    caspol -s on
    Test the control. Notice that you receive a SecurityException error.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
313891 HOW TO: Sink Managed C# Events in Internet Explorer Script
For more information, visit the following Microsoft Web sites:
Host Secure, Lightweight Client-Side Controls in Microsoft Internet Explorer

Article ID: 316510 - Last Review: 02/28/2014 04:31:57 - Revision: 6.5

Microsoft Internet Explorer 5.5, Microsoft Internet Explorer (Programming) 6.0, Microsoft .NET Framework 1.1, Microsoft .NET Framework 1.0

  • kbnosurvey kbarchive kbbug kbsecurity kbctrl kbevent kbpending KB316510