Quickie 1: Providing Internet Zone Security for local .NET Controls


Background: I'm planning some refresh of my private DVB.NET project. Very different from the current approach the idea is to have all code running directly from the Internet in a browser. This may simplify all issues around deployment. Although much code may conform to the Internet zone security policy in .NET some does not and never will. Especially there is a need to access the underlying hardware using P/Invoke calls. All these could be concentrated in one relativly small .NET assembly which  could then be configured for enhanced rights using the .NET security management tools. This .NET assembly will be the only one which must have additional rights.

The project is private and its main purpose for me is to learn about .NET. The special issue here is about security and the question how to develop a .NET control with special security considerations which will be executed inside a browser. So to say the next generation of DVB.NET may never see the light of day but the technology disussed may be used somewhere else.


Goal: As a software quickie the contents of this article has nothing to do with the real background. In addition I will not offer a concrete solution for a specific problem. But I will discuss the question how I could be possible to develop a .NET control hosted in a browser which must access resources normally not granted to code from the Internet zone. I'll present some steps through the problem as I made it and show some pitfalls I found - and dived into.


Requirements: If the stuff works on any configuration different from mine: fine. But here is where it works right now. The development system is a Windows XP Professional US with Service Pack 1a and Visual Studio 2003 Professional, which also serves as a client for immediate testings in a browser. Additional browser tests have been done on a Windows XP Home GER with Service Pack 1a and Microsoft .NET Framework 1.1 - this should be the minimum requirements for a browser client. For the browser Internet Explorer has been choosen - actually I don't know if any other browser can host .NET controls.



First of all the .NET control is developped and set up to run in a browser in the desired way. Then a first approach is made to host the control in a WinForms application but with restricted rights according to Internet zone policy - the solution presented can be found on the Internet at different places. Since this solution does not fulfill all requirements I show some improvments on the algorithms used. Finally I added some thoughs on enhanced questions like the use of .NET assembly references.


Back to List of Quickies

Back to Projects Home Page