ClickOnce and Security

ClickOnce deployment is another area where Code Access Security needs to be kept in mind. ClickOnce deployments will often be used to deploy Visual Basic .NET (or hybrid Interop Toolkit) applications from a website or network file share. In these cases, the applications don't get the standard Full Trust permissions in CAS. Instead they get the more limited Internet Zone permissions. As a developer, you will need to ensure that your application can run successfully with this permission set. Visual Studio can help out here, so rather than having to mess around with your security policy while you're debugging, Visual Studio can set up a debugging session with the required permissions (look on the Security page of your project properties to see how to configure this behaviour).

If the set of permissions granted to the Internet Zone aren't sufficient then you have two options:

  1. Ask for the additional permissions in the ClickOnce deployment manifest, and rely on the user accepting the elevated permission request during the install.
  2. Ask your administrator to configure the standard CAS policy on end user machines to permit elevated permission requests from specific publishers. You then use Authenticode to sign the deployment manifest, using the permitted publisher details.

Option 2 is obviously to be preferred, but needs a bit more work to get set up.