Assembly Binding Redirection Security Permission

Note

This article is specific to .NET Framework. It doesn't apply to newer implementations of .NET, including .NET 6 and later versions.

Explicit assembly binding redirection in an application configuration file requires a security permission. This applies to redirection of .NET Framework assemblies and assemblies from third parties. The permission is granted by setting the SecurityPermissionFlag flag on the SecurityPermission. Managed assemblies have no permissions by default.

The security permission is granted to applications running in the Trusted Zone (local machine) and Intranet Zone. Applications running in the Internet Zone are strictly prohibited from performing assembly binding redirection.

The permission is not required if assembly redirection is performed in a publisher policy file that is controlled by the component publisher, or in the machine configuration file that is controlled by the administrator. However, the permission is required for an application to explicitly ignore publisher policy using the <publisherPolicy apply="no"/> element in the application configuration file.

The following table shows the default security settings for the BindingRedirects flag.

Zone BindingRedirects flag setting
Trusted Zone (local machine) ON
Intranet Zone ON
Internet Zone OFF
Untrusted zones OFF

An administrator can change these security settings to support or restrict specific scenarios on a given computer. There are no tools for changing the BindingRedirects flag setting from the default; an administrator must manually edit the Security.config file on a user's computer.

See also