Code Access Security hosting control in IE


You have a Windows Forms component hosted in Internet Explorer, and you want to catch events raised by this control from client side scripting; to avoid security errors at runtime, the control must have "Allow calls to unmanaged assemblies" permission. if you do this, you'll notice that this works only if you  give this permission to the whole Zone or Site, but does not work if you give it just to the Assembly or the URL.

The reasoning behind the security exception is AppDomains. Before IE can load your assembly, it must create an AppDomain to load the assembly into. When it creates this AppDomain, it assigns all the evidence it knows without loading your assembly, the Site and Zone that it is loading from. Since the AppDomain itself does not get any evidence about the signature that your assembly has (it can't since the assembly is not loaded yet), it will not match the code group that you created giving extra trust. Now when a security demand occurs, a stack walk begins. When your assembly is checked for correct permissions, it passes, and the stack walk continues until it gets to the AppDomain. Since the AppDomain doesn't have the permissions that are required by this demand, it causes the SecurityException to be thrown.

If you want to bypass the above problem and make your application to work only giving permission to the Assembly or the URL, then you have to Assert the permissions you need in the control code, before rising the event. Thanks to asserting, the security check can be done again at runtime after the AppDomain is created.
The following sample should do the trick:

using System;
using System.Drawing;
using System.Security;
using System.Security.Permissions;
using System.Windows.Forms;
using System.Runtime.InteropServices;

[assembly: AllowPartiallyTrustedCallers]
public sealed class SimpleControl : Control
private Button button1;

public SimpleControl()
this.BackColor = Color.Green;
button1 = new Button();
button1.Text = "Click Me!";
button1.Width = 100;
button1.Click += new EventHandler(HandleButtonClick);

private void HandleButtonClick(object sender, EventArgs e)
MethodInvoker h = ButtonClicked;
if (null != h)
catch (Exception ex)

public event MethodInvoker ButtonClicked;

public void SayHello()
MessageBox.Show("Hello from Windows Forms");

public string ThemedBackgroundColor
get { return ColorTranslator.ToHtml(this.BackColor); }
set { this.BackColor = ColorTranslator.FromHtml(value); }

public interface ISimpleEvents
//Each event must have a unique DispId
void ButtonClicked();



Comments (13)

  1. Harvey says:

    How about performance…. Here’s a post I left on a forum with a question regarding UserControls and performance, do you have any ideas ?

    Hi, I need an expert I think….

    I have a web page which hosts a .NET UserControl in the "index.htm" file like this:

    <OBJECT id=HRTopCtrl




    It works fine, only I get serious performance issues on first start up (that is first time I enter the web page after opening IE). Subsequent displays are instantaneous. For example, I run IE, then I go to my page (it is slow), then I surf (google, msdn, …), then I come back to my page (it is very fast). If I stop IE and start again it is slow again of course.

    I’ve been around on the web and found a few posts on this topic, but none really seem to solve the issue.

    Of course, my assemblies are all strong named, and all have "AllowPartiallyTrustedCallers" to be able to execute from IE.

    When I look in the assembly/download folder I see my assembly with Type = Shared (if it isn’t signed I get type = Private).

    For information, the assembly downloads from the server instantaneously, so I figure it is the "build" which is slow.

    Does anyone have an idea what to do ?


    My web site :

  2. Harvey, which version of the framework are you using? Does it repro also with 2.0? Are you using sockets in your control? When it’s loaded the first time, are you doing some "startup" actions you don’t do anymore later?

    I’m thinking to a known issue in the .NET 1.1 framework and it is due to a deadlock situation that occurs between the thread that is trying to download the iexplore.exe.config file and the thread that is actually opening the socket.

    In order to avoid the “deadlock” it’s possible to add the following line of code before opening the socket: System.Configuration.ConfigurationSettings.GetConfig(“”)

    This way, .NET tries to download the configuration file before actually opening the socket, and the deadlock doesn’t happen. This problem is fixed in .NET Framework (2.0).

    HTH, let me know

  3. Harvey says:


    I’m using .NET 2.0 (compiling with VS 2005). My control uses WebServices to connect back to the server and get data, but I’ve tested removing all this code and the problem still occurs…

    In fact, if you test the following URL (it’s a tutorial on developing a UserControl which displays the example for illustration….) you can provoke the problem:

    Copy the link. Close all IE. Open IE and paste the link and enter. It will take the page around 10 seconds to display. Now surf a little (without closing IE). Then paste the link again and it will be instantaneous.

    Now close IE and start again, it will be really slow again (first time). IE Embedded UserControls don’t cache (even with SN). Does anyone know how to solve this?

    You’ll notice that at some moments while waiting, IE is totally locked (the menus don’t highlight, the display doesn’t refresh, …)

    What do you think of it? I feel it is a problem with .NET assembly/download caching.

    As I said, I’ve read a few posts on the topic but found no answers, and I’ve been investigating for a few weeks now. This is a major problem for me right now and is preventing me from releasing a new Web site in good conditions (I’ll end up releasing it and explaining the problem hoping people accept).

    It seems the cache isn’t working as it should, the files are there, but on IE startup it still goes to fetch them, or more precisely it "builds" them (whatever this really means).

    See, I’ve done some tests using Reflection. A first UserControl loads into IE, in it I load another UserControl (different assembly) and display it. What I see is that the Assembly.Load is very fast, but between the constructor call (type.GetConstructor.Invoke()) and the constructor executing there’s a big time elapsed. I’ve put a message just before the ctor call and one on the first line inside the ctor, and it hangs for seconds (depending on the size of the assemblies) at this point. This is what makes me think it is a build/check problem. It looks like IE is spending time building/checking things in the assembly (but I don’t fully understand the details of this yet).

    Thanks for taking some time on this, I’ve had some hard times on the web trying to explain my proble. Some people think I’m nuts, see here



  4. Harvey,

    Yes, I’m able to reproduce the problem as you describe it. But I also noted something that made me think, and a couple of more tests seem to confirm my suspect… The first page you are opening is a classic ASP one, right? While the other pages (accessible from the left menu) are all .aspx, correct?

    Try this:

    To be honest I’ve not made accurate tests and measures so here I’m guessing, but hosting a WinForm contol into a classic ASP page you are “messing” two worlds, two very different types of elaboration on the web server, and I think (but here’s what I’m guessing since I’ve not done more researches at the moment) this also messes the client up a little bit…

    Could you try to migrate also the first page to aspx?

    Anyway, if this still does not help, I really suggest you to open a support call with CSS; I see you have a French email address so you’re based in EMEA, if you’ll open the case I’ll be happy to assist you


  5. Harvey says:


    Thanks a lot, I’m really pleased now to have someone who knows what he’s talking about to share my problem with!

    I don�t fully understand your test because the aspx page has no Forms.UserControl on it, so there�s no reason for it to be slow? (for information, I note that your example uses Forms.Control, but I don�t think using Forms.UserControl should cause problems)

    I don’t really know about CSS support, I’ll look on the web to see how it works and what it is. I�m indeed in France.

    In the meantime, some details: in my application, I don’t use any asp or aspx. It is a simple HTM file which is hosted at

    it has an object tag and if you click the above link you’ll get two assemblies in the assemblies/download cache :



    The first one contains the UserControl and the second some utility classes and functions.

    You can redo the same tests as with the �egg� URL and see the same symptoms (slow after IE startup and fast afterwards).

    Don�t click any buttons in the UserControl because the calls might fail (it�s under development).

    However, this UserControl calls a WebService on the server (in Vista you must run IE as admin by the way), but I�m positive that the slowness doesn�t come from that (I�ve tested removing the calls). However, if you think this could help for future debugging (via CSS maybe) I can create a new UserControl to test with (with simpler sources to show than my current UserControl).


  6. Ok, let’s take this offline, I’ll update the post at the end if relevant also for other people

  7. Harvey says:

    OK, what should I do for this (to take it offline) ? Is there a link to the CSS support (I searched quickly and of course found loads of stuff about Cascading Style Sheets…) ? Or will you send me an email (xxxxxxxxxxxxxx [carloc edit]) ? If I use CSS support how will I continue with you ? (Sorry for all these questions)


  8. Done yesterday evening, check your inbox 🙂

  9. mdew says:

    Has a solution been found for this problem?

  10. Genc, says:


    I have excatly the same situation. I have a usercontrol (~20kb) hosted by IE. First time being dowloaded it takes almost 20 seconds in our LAN. And it does nothing extra in initialization process but being created as an object of his type (later on is used to call ws with encrypted params)

    I havent got any solution yet even though I’m reading all the hints & links here.

    Let me know if you get the solution

    thanks in advance,


  11. Hi Genc, the problem has been resolved a while ago and I also blogged about the solution we found (see; anyway this is not the only possible cause for the slow loading you’re reporting, so if you need further assistance I strongly suggest you open a support call with us as Harvey did. If you’re based in EMEA I may be able to take your call (otherwise you’ll get in touch with one of my colleagues); if you’re based outside EMEA have a look at to get to your local support page and get in touch with a MS CSS Engineer.

    Hope this helps

  12. r4 nintendo says:

    The post was awesome…..The code really changed the design of my upcoming project…….thanx a lot…..

Skip to main content