Microsoft KB Archive/316510

= PRB: Security Exception When You Use Event Handlers in Internet Explorer =

Article ID: 316510

Article Last Modified on 4/19/2007

-

APPLIES TO


 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer (Programming) 6.0
 * Microsoft .NET Framework 1.1
 * Microsoft .NET Framework 1.0

-



This article was previously published under Q316510



SYMPTOMS
You may receive a SecurityException error under the following circumstances:  You use a custom .NET Windows Forms control that exposes managed events to Internet Explorer through ActiveX sourcing. You use a Web page that consumes the control and handles events.  You use the following code to enable security on the control: caspol -s on                       

Note: The control works as expected if you use the following code to disable security: caspol -s off



RESOLUTION
On any client system, use the .NET Framework Configuration tool (Mscorcfg.msc) to grant the required, individual permissions to the assembly.

Create a permission set with the following minimum settings:
 * Security:
 * Enable assembly execution for permission for the code to run. Without this permission, managed code cannot run.
 * Allow calls to unmanaged assemblies. Because unmanaged code potentially permits other permissions to be bypassed, this is a dangerous permission that must only be granted to highly trusted code. It is used for such applications as calling native code using Platform Invokation Services (PInvoke) or using COM Interop.
 * User Interface:
 * Allow permission to use windows that are limited to safe, top-level windows or safe subwindows.
 * Web Access:
 * Grant the assemblies access to connect with resources. Give the URL to the assembly.

You can associate a permission set with your control if you define a code group that keys off evidence that is specific to your control, such as its strong name. To create a new code group, follow these steps:
 * 1) In the .NET Framework Configuration dialog box, click the Code Groups node under the Enterprise node, the Machine node, or the User policy.
 * 2) Right-click the All_Code node, and then click New.

For more information about permission sets and code groups, see the &quot;References&quot; section.



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.



Steps to Reproduce the Behavior
To create a custom Windows Forms control, follow these steps:  Start Microsoft Visual Studio .NET. On the File menu, point to New, and then click Project.</li> In the New Project dialog box, click Visual C# Projects under Project Types, and then click Windows Control Library under Templates.</li>  Copy and then paste the following code into the control window: using System; using System.ComponentModel; using System.Drawing; using System.Windows.Forms; using System.Runtime.InteropServices;

namespace ActiveXSourcing {   public delegate void ClickEventHandler(int x, int y);

// Source interface for events to be exposed // Add GuidAttribute to the source interface to supply an explicit System.Guid. // Add InterfaceTypeAttribute to indicate that interface is the IDispatch interface.

[System.Runtime.InteropServices.GuidAttribute(&quot;0422D916-C11A-474e-947D-45A107038D12&quot;) ]

[System.Runtime.InteropServices.InterfaceTypeAttribute(System.Runtime.InteropServices.ComInterfaceType.InterfaceIsIDispatch)] public interface ControlEvents

// Add a DisIdAttribute to any members in the source interface to        // specify the COM DispId. {          [System.Runtime.InteropServices.DispIdAttribute(0x60020000)] void ClickEvent(int x, int y); }

// Add a ComSourceInterfaces attribute to the control to identify       //the list of interfaces that are exposed as COM event sources.

[System.Runtime.InteropServices.ClassInterface(System.Runtime.InteropServices.ClassInterfaceType.None),System.Runtime.InteropServices.ComSourceInterfaces(typeof(ControlEvents))] public class MyWindowControl : System.Windows.Forms.UserControl //, ComInteropControlInterface {       System.Windows.Forms.TextBox tx = new TextBox;

private void InitializeComponent {           this.Name = &quot;MyWindowControl&quot;;

}           event ActiveXSourcing.ClickEventHandler ClickEvent; public MyWindowControl : base {

initMyWindowControl;

}          private void initMyWindowControl {

Size = new System.Drawing.Size(300, 50); tx.Text = &quot;Click the text box to invoke 'ClickEvent'&quot;; tx.Size = this.Size; tx.Click += new System.EventHandler(ClickHandler); this.Controls.Add(tx); }          private void ClickHandler(object sender, System.EventArgs e)           { if (ClickEvent != null) { ClickEvent(0, 0); }          }    }   }

</li>  Create a test Hypertext Markup Language (HTML) page to hook the event. Sample HTML page: <!DOCTYPE HTML PUBLIC &quot;-//W3C//DTD HTML 4.0 Transitional//EN&quot;> <META HTTP-EQUIV='Content-Type' CONTENT='text/html; charset=iso-8859-1' />

<HTML> <HEAD> <TITLE>Sink managed event in Internet Explorer</TITLE> </HEAD> <BODY> <OBJECT id=&quot;ctrl&quot; classid=&quot;YourDllName.dll#ActiveXSourcing.MyWindowControl&quot;> </OBJECT> <SCRIPT LANGUAGE=&quot;JScript&quot;> function ctrl::ClickEvent(a,b) {                  alert(&quot;MyWindowControl_ClickEvent&quot;); }       </SCRIPT> </BODY> </HTML>

</li> Compile the control as a dynamic-link library (DLL).</li>  Use the following code to disable the security on the control: caspol -s off Test the control. Notice that the control works as expected. </li>  Use the following code to enable the security on the control: caspol -s on Test the control. Notice that you receive a SecurityException error. </li></ol>

<div class="references_section">