Jaa

Same Site Socket Permission

  • Artikkeli

Fairly frequently, people will want to know how to get same site socket permissions, in the same way that they can get same site web permission today. Unfortunately, the answer is that with the security objects shipped with the framework, there is no way to accomplish this.

In order to figure out what coding must be done to get same site socket permissions, first lets look at how same site web permissions are granted. Instead of being a flag on the web permission itself, same site web permission is actually created in the NetCodeGroup. The SSCLI source for this code group can be found here: https://dotnet.di.unipi.it/Content/sscli/docs/doxygen/fx/bcl/netcodegroup_8cs-source.html. This code group, instead of having a static permission set associated with it, creates a dynamic permission set when it is evaluated. If its membership condition is matched, the Resolve method of the code group will scan the evidence for a Url or Site object. If it finds one of these (giving preference to Url), it will generate a WebPermission with access back to that Url. (You can see this by looking at the Resolve method, the interesting part is between lines 82 and 104).

In order to create same site socket access, something very similar would have to be done. However, careful inspection of the NetCodeGroup.cs source file shows that this work is already done for you! The implementation details of generating the dynamic permissions are encapsulated in the CalculatePolicy method (line 284). Interestingly enough, on line 289, a security element named socketPerm is initialized to null, and then ignored for the rest of the method. So it looks like all that needs to be done is to write a method that will create the socket permissions for you. The NetCodeGroup has this method written already as well. Specifically, there's a CreateSocketPermission method on line 225 that does the job for you.

So, in order to modify the NetCodeGroup to create same site socket permissions, all that needs to be done is to change line 289 from:

SecurityElement socketPerm = null;

to

SecurityElement socketPerm = CreateSocketPermission(host, scheme);

And there you go, a NetCodeGroup that will grant both same site web and same site socket permissions.

If you're looking for the NetCodeGroup.cs file in the SSCLI distribution, it unpacks to the clr\src\bcl\system\security\policy directory.