Security Issues in Reflection Emit

Microsoft Silverlight will reach end of support after October 2021. Learn more.

In Silverlight, the code you generate using reflection emit must be security-transparent. That means it cannot acquire any permissions beyond those of the caller, and in Silverlight the caller always has Internet permissions. In particular, the generated code cannot do the following:

  • Access types and members that are not visible outside the assemblies that define them.

  • Call .NET Framework code that has the SecurityCriticalAttribute attribute.

  • Call code in an assembly that has a LinkDemand for permissions that are not included in the Internet permission set.

  • Perform an Assert.

  • Contain unverifiable code.

  • Call unmanaged code, such as the Win32 API.

Visible types and members in the .NET Framework class libraries can be called from code that is generated by using reflection emit, unless they have been marked with the SecurityCriticalAttribute attribute.