Windows Presentation Foundation Partial Trust Security
In general, Internet applications should be restricted from having direct access to critical system resources, to prevent malicious damage. By default, HTML and client-side scripting languages are not able to access critical system resources. Because Windows Presentation Foundation (WPF) browser-hosted applications can be launched from the browser, they should conform to a similar set of restrictions. To enforce these restrictions, WPF relies on both Segurança de Acesso a Código (CAS) and ClickOnce (see Estratégia de segurança do Windows Presentation Foundation - Segurança da Plataforma). By default, browser-hosted applications request the Internet zone CAS set of permissions, irrespective of whether they are launched from the Internet, the local intranet, or the local machine. Applications that run with anything less than the full set of permissions are said to be running with partial trust.
WPF provides a wide variety of support to ensure that as much functionality as possible can be used safely in partial trust, and along with CAS, provides additional support for partial trust programming.
Este tópico contém as seguintes seções.
- WPF Feature Partial Trust Support
- Partial Trust Programming
- Managing Permissions
- Tópicos relacionados
WPF Feature Partial Trust Support
The following table lists the high level features of Windows Presentation Foundation (WPF) that are safe to use within the limits of the Internet zone permission set.
Tabela 1: Recursos do WPF que estão seguros em confiança parcial
Feature Area |
Recurso |
|---|---|
Geral |
Browser Window Site of Origin Access IsolatedStorage (512KB Limit) UIAutomation Providers Commanding Editores de Método de Entrada (IME) Tablet Stylus and Ink Simulated Drag/Drop using Mouse Capture and Move Events OpenFileDialog XAML Deserialization (via XamlReader.Load) |
Web Integration |
Browser Download Dialog Top-Level User-Initiated Navigation mailto:links Uniform Resource Identifier Parameters HTTPWebRequest WPF Content Hosted in an IFRAME Hospedagem de páginas de HTML do mesmo site usando quadros Hospedagem do mesmo páginas HTML de sites usando WebBrowser Web Services (ASMX) Web Services (using Windows Communication Foundation) |
Visuals |
2D e 3D Animation Media (Site Of Origin and Cross-Domain) Imaging/Audio/Video |
Reading |
FlowDocuments Documentos XPS Embedded & System Fonts CFF & TrueType Fonts |
Edição |
Spell Checking RichTextBox Plaintext and Ink Clipboard Support User-Initiated Paste Copying Selected Content |
Controles |
General Controls |
This table covers the WPF features at a high level. For more detailed information, the Windows Software Development Kit (SDK) documents the permissions that are required by each member in WPF. Additionally, the following features have more detailed information regarding partial trust execution, including special considerations:
Web Services using Windows Communication Foundation (see Partial Trust).
XAML (see XAML Overview).
Popups (see System.Windows.Controls.Primitives.Popup).
Drag and Drop (see Visão geral sobre arrastar e soltar).
Clipboard (see System.Windows.Clipboard).
Imaging (see System.Windows.Controls.Image).
Serialization (see XamlReader.Load, XamlWriter.Save).
Open File Dialog Box (see Microsoft.Win32.OpenFileDialog).
The following table outlines the WPF features that are not safe to run within the limits of the Internet zone permission set:
Tabela 2: Recursos do WPF que são não confiáveis em confiança parcial
Feature Area |
Recurso |
|---|---|
Geral |
Window (Application Defined Windows and Dialog Boxes) SaveFileDialog Sistema de arquivos Acesso ao Registro Drag and Drop XAML Serialization (via XamlWriter.Save) UIAutomation Clients Source Window Access (HwndHost) Full Speech Support Windows Forms Interoperability |
Web Integration |
Scripting Document Object Model |
Visuals |
Bitmap Effects Image Encoding |
Edição |
Rich Text Format Clipboard Full XAML support |
Partial Trust Programming
For XBAP applications, code that exceeds the default Internet zone permission set will be detected by CAS and will result in a security exception being raised and the application ending. While this protects users, it does not provide for the best user experience.
Em geral, o código que pode exceder as permissões permitidas provavelmente será código comum é compartilhado entre autônomos e aplicativos hospedados por navegador. CAS e WPF oferecem várias técnicas para gerenciar esse cenário.
Detecting Permissions Using CAS
In some situations, it is possible for shared code in library assemblies to be used by both standalone applications and XBAPs. In these cases, code may execute functionality that could require more permissions than the application's awarded permission set allows. Your application can detect whether or not it has a certain permission by using Microsoft .NET Framework security. Specifically, it can test whether it has a specific permission by calling the Demand method on the instance of the desired permission. This is shown in the following example, which has code that queries for whether it has the ability to save a file to the local disk:
If an application doesn't have the desired permission, the call to Demand will throw a security exception. Caso contrário, a permissão foi concedida. IsPermissionGranted encapsula esse comportamento e retorna true ou false conforme apropriado.
Graceful Degradation of Functionality
Being able to detect whether code has the permission to do what it needs to do is interesting for code that can be executed from different zones. While detecting the zone is one thing, it is far better to provide an alternative for the user, if possible. For example, a full trust application typically enables users to create files anywhere they want, while a partial trust application can only create files in isolated storage. If the code to create a file exists in an assembly (.dll) that is shared by both full trust (standalone applications) and partial trust (browser-hosted applications), and both applications want users to be able to create files, the shared code should detect whether it is running in partial or full trust before creating a file in the appropriate location. The following code demonstrates both:
In many cases, you should be able to find a partial trust alternative.
In a controlled environment, such as an intranet, custom managed frameworks can be installed across the client base into the cache de assembly global (GAC). These libraries can execute code that requires full trust, and be referenced from applications that are only allowed partial trust by using AllowPartiallyTrustedCallersAttribute (see Windows Presentation Foundation Security and Estratégia de segurança do Windows Presentation Foundation - Segurança da Plataforma for more information).
Browser Host Detection
Using CAS to check for permissions is a suitable technique when you need to check on a per-permission basis. Although, this technique depends on catching exceptions as a part of normal processing, which is not recommended in general, and can have performance issues. Instead, if your aplicativo de navegador XAML (XBAP) only runs within the Internet zone sandbox, you can use BrowserInteropHelper.IsBrowserHosted, which returns true for aplicativos de navegador XAML (XBAPs).
Consulte Detectando se exemplo hospedados navegador.
.gif "Observação") Observação: |
|---|
que IsBrowserHosted distingue somente se um aplicativo está sendo executado em um navegador, não qual conjunto de permissões de um aplicativo está sendo executado com. |
Managing Permissions
By default XBAPs run with partial trust (default Internet zone permission set). However, depending on the requirements of the application, it is possible to change the set of permissions from the default. For example, if an XBAPs is launched from a local intranet, it can take advantage of an increased permission set, which is shown in the following table.
Tabela 3: Permissões de Internet e LocalIntranet
Permissão |
Atributo |
LocalIntranet |
Internet |
|---|---|---|---|
DNS |
Access DNS servers |
Sim |
Não |
Environment Variables |
Read |
Sim |
Não |
File Dialogs |
Abrir |
Sim |
Sim |
File Dialogs |
Irrestrito: |
Sim |
Não |
armazenamentos isolados |
Assembly isolation by user |
Sim |
Não |
armazenamentos isolados |
Unknown isolation |
Sim |
Sim |
armazenamentos isolados |
Unlimited user quota |
Sim |
Não |
Media |
Safe audio, video, and images |
Sim |
Sim |
Imprimindo |
Default printing |
Sim |
Não |
Imprimindo |
Safe printing |
Sim |
Sim |
Reflexão |
Emit |
Sim |
Não |
Segurança |
Managed code execution |
Sim |
Sim |
Segurança |
Assert granted permissions |
Sim |
Não |
Interface de usuário |
Irrestrito: |
Sim |
Não |
Interface de usuário |
Safe top level windows |
Sim |
Sim |
Interface de usuário |
Own Clipboard |
Sim |
Sim |
Navegador da Web |
Safe frame navigation to HTML |
Sim |
Sim |
If you need to increase permissions, you can use one of the following tools:
If your XBAP requires full trust, you can use the same tools to increase the requested permissions, although an XBAP will only receive full trust if it is installed on and launched from the local machine. This means you do not retain the automatic update support you get when you publish XBAPs to web servers.
Consulte também
Conceitos
Windows Presentation Foundation Security
Estratégia de segurança do Windows Presentation Foundation - Segurança da Plataforma
Estratégia de segurança do Windows Presentation Foundation - Engenharia de Segurança
Date |
History |
Motivo |
|---|---|---|
|
Julho de 2008 |
Menção adicionada o novo WebBrowser controle. |
Alteração de recurso do SP1. |