PRB: Security Exception When You Use Event Handlers in Internet Explorer (316510)


The information in this article applies to:

  • Microsoft Internet Explorer (Programming) 5.5
  • Microsoft Internet Explorer (Programming) 6.0
  • Microsoft .NET Framework 1.1
  • Microsoft .NET Framework 1.0
This article was previously published under Q316510

SYMPTOMS

You may receive a SecurityException error under the following circumstances:
  • You use a custom .NET Windows Forms control that exposes managed events to Internet Explorer through ActiveX sourcing.
  • You use a Web page that consumes the control and handles events.
  • You use the following code to enable security on the control: 
    caspol -s on
Note: The control works as expected if you use the following code to disable security: 
caspol -s off

RESOLUTION

On any client system, use the .NET Framework Configuration tool (Mscorcfg.msc) to grant the required, individual permissions to the assembly.

Create a permission set with the following minimum settings:
  • Security:
    • Enable assembly execution for permission for the code to run. Without this permission, managed code cannot run.
    • Allow calls to unmanaged assemblies. Because unmanaged code potentially permits other permissions to be bypassed, this is a dangerous permission that must only be granted to highly trusted code. It is used for such applications as calling native code using Platform Invokation Services (PInvoke) or using COM Interop.
  • User Interface:
    • Allow permission to use windows that are limited to safe, top-level windows or safe subwindows.
  • Web Access:
    • Grant the assemblies access to connect with resources. Give the URL to the assembly.
You can associate a permission set with your control if you define a code group that keys off evidence that is specific to your control, such as its strong name. To create a new code group, follow these steps:
  1. In the .NET Framework Configuration dialog box, click the Code Groups node under the Enterprise node, the Machine node, or the User policy.
  2. Right-click the All_Code node, and then click New.
For more information about permission sets and code groups, see the "References" section.

STATUS

Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

Steps to Reproduce the Behavior

To create a custom Windows Forms control, follow these steps:
  1. Start Microsoft Visual Studio .NET.
  2. On the File menu, point to New, and then click Project.
  3. In the New Project dialog box, click Visual C# Projects under Project Types, and then click Windows Control Library under Templates.
  4. Copy and then paste the following code into the control window:
    using System;
   using System.ComponentModel;
   using System.Drawing;
   using System.Windows.Forms;
   using System.Runtime.InteropServices;

   namespace ActiveXSourcing
   {
   	public delegate void ClickEventHandler(int x, int y); 

        // Source interface for events to be exposed
   	// Add GuidAttribute to the source interface to supply an explicit System.Guid.
   	// Add InterfaceTypeAttribute to indicate that interface is the IDispatch interface.

[System.Runtime.InteropServices.GuidAttribute("0422D916-C11A-474e-947D-45A107038D12") ]

[System.Runtime.InteropServices.InterfaceTypeAttribute(System.Runtime.InteropServices.ComInterfaceType.InterfaceIsIDispatch)]
       public interface ControlEvents 

   	// Add a DisIdAttribute to any members in the source interface to         // specify the COM DispId.
       {
           [System.Runtime.InteropServices.DispIdAttribute(0x60020000)]
           void ClickEvent(int x, int y);
       }

       // Add a ComSourceInterfaces attribute to the control to identify        //the list of interfaces that are exposed as COM event sources. 

[System.Runtime.InteropServices.ClassInterface(System.Runtime.InteropServices.ClassInterfaceType.None),System.Runtime.InteropServices.ComSourceInterfaces(typeof(ControlEvents))]
   	public class MyWindowControl : System.Windows.Forms.UserControl //, ComInteropControlInterface
       {
           
   		System.Windows.Forms.TextBox tx = new TextBox();

   		private void InitializeComponent()
   		{
   			
   			this.Name = "MyWindowControl";

   		}
   	
            event ActiveXSourcing.ClickEventHandler ClickEvent;
       	
       	public MyWindowControl() : base()
       	{				               

                   initMyWindowControl();

       	}
           
           private void initMyWindowControl() 
       	{

               Size = new System.Drawing.Size(300, 50);
   			tx.Text = "Click the text box to invoke  'ClickEvent'";
               tx.Size = this.Size;                  
               tx.Click += new System.EventHandler(ClickHandler);
   			this.Controls.Add(tx);
   			
       	}
               
           
           private void ClickHandler(object sender, System.EventArgs e)
           {
               if (ClickEvent != null) {
                   ClickEvent(0, 0);
               }
           }
   	}
   }
  5. Create a test Hypertext Markup Language (HTML) page to hook the event. Sample HTML page: 
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
   <META HTTP-EQUIV='Content-Type' CONTENT='text/html; charset=iso-8859-1' />

   <HTML>
   	<HEAD>
   		<TITLE>Sink managed event in Internet Explorer</TITLE>
   		
   		
   	</HEAD>
   	
   	<BODY>
   		
   		<OBJECT id="ctrl" classid="YourDllName.dll#ActiveXSourcing.MyWindowControl">
   		</OBJECT>
   		<SCRIPT LANGUAGE="JScript">
               function ctrl::ClickEvent(a,b)
               {
                   alert("MyWindowControl_ClickEvent");
               }
   		</SCRIPT>
   		
   	</BODY>
   </HTML>
  6. Compile the control as a dynamic-link library (DLL).
  7. Use the following code to disable the security on the control: 
    caspol -s off
    Test the control. Notice that the control works as expected.
  8. Use the following code to enable the security on the control: 
    caspol -s on
    Test the control. Notice that you receive a SecurityException error.

REFERENCES

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

313891 HOW TO: Sink Managed C# Events in Internet Explorer Script

For more information, visit the following Microsoft Web sites:

Code Access Security Policy Tool (Caspol.exe)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/html/cpgrfcodeaccesssecuritypolicyutilitycaspolexe.asp?frame=true

Handling and Raising Events
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconevents.asp

.NET Framework Configuration Tool
http://msdn.microsoft.com/library/en-us/cptools/html/cpconnetframeworkadministrationtoolmscorcfgmsc.asp

Interoperating with Unmanaged Code
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconinteroperatingwithunmanagedcode.asp

Modification Type:MinorLast Reviewed:7/8/2005
Keywords:kbBug kbSecurity kbCtrl kbEvent kbpending KB316510 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.