Configuring ClickOnce Security

An application that uses ClickOnce runs under Full Trust by default. Under Full Trust, the application has unrestricted access to resources such as files and the registry, as well as the network. This potentially can be dangerous, as it opens the possibility of your code being exploited by malicious code. To prevent this, use Code Access Security to limit the permissions for your application to only what is necessary.

You can change the trust level of your applications by going to the Security tab of the project's Properties window (see Figure 1-13).

Figure 1-13. Configuring security settings for your application

There are three zones in which your application can be installed: Local computer, Local Intranet, and Internet, with the Internet zone having the most restrictive permissions and the "Local computer" zone imposing virtually no limits.

For example, if you set your application to install from the Internet zone, it would not be able to perform file I/O operations on a local computer or access registry settings. In this case, you need to explicitly grant the permissions required by the application in the Security tab of the project (as shown in Figure 1-13).

To see what will happen when you set your application to the Internet zone, check the Enable ClickOnce Security Settings checkbox and select the option "This is a partial trust application." Select Internet as the zone and publish the application. When you launch the application, click the "Save a File" button. You will see an error window (see Figure 1-14) describing the error.

Figure 1-14. The security policy prevents you from publishing the application

In fact, all of the functions in the application will fail except the function that accesses the originator web service. This is interesting. To understand this, click the "Advanced..." button located at the bottom of the window to display the Advanced Security Settings dialog box (see Figure 1-15).

Figure 1-15. Viewing the advanced security setting for your application

Notice that the "Grant the application access to its site of origin" checkbox is checked by default. This indicates that your application is allowed to access a web service hosted on the same machine that hosts your published application. If you uncheck this option, republish the application, and then update the application, you will not be allowed to access your web service.

To allow the other functions to work properly without security restrictions, you need to set the permissions, as shown in Figure 1-16.

Figure 1-16. Setting the required permissions for your application

Notice that for zone defaults, the icon is a green check icon that indicates that the permission is granted in the selected zone. When you change the setting from Zone Default to Include, the green check icon now changes to an exclamation mark inside a yellow triangle, signifying that this operation requires elevated permission to execute.

One particular noteworthy permission setting is FileDialogPermission. The default value for this setting is Zone Default and it shows a green check icon. However, if you leave the setting like this and republish your application, you will notice that the "Save a File" button will fail. This is because, by default, the FileDialogPermission setting only allows the Open File dialog box to display and not the Save File dialog box. To allow both dialog boxes to open, select the FileDialogPermission setting and click Properties. Select the "Grant Assembles unrestricted access to the file dialog boxes" option and click OK.