Why the Simple Sandboxing API Requires an ApplicationBase

One trap that catches a lot of people new to the simple sandboxing API is that the API will throw an InvalidOperationException if the AppDomainSetup parameter does not contain an ApplicationBase, saying "This API requires the ApplicationBase to be specified explicitly in the AppDomainSetup parameter."

The reason for this exception is to prevent you from accidentally creating an AppDomain where the sandboxed code can do more than you had intended. I mentioned in my article about hosting AddIns, you’ll generally want to have your partial trust code in a separate directory from your application assemblies and point the AppBase there. By having the ApplicationBase point back to the current application directory (which is what a null ApplicationBase would do by default), the partial trust code being run in the sandbox can load any assembly in your application without a demand taking place. Generally, only a subset of your application code will be written with the intent of being called by the sandboxed code; meaning that you’ve probably only tested a portion of your application for safety in this scenario. APTCA will only help in this scenario if your host assemblies are strongly named -- which may not always be the case.

By throwing an exception if we detect a null ApplicationBase, the CLR is ensuring that you are explicitly are opting into having your host assemblies be loadable by the partial trust code you’re sandboxing. If this is the way that you want your sandbox to operate, then we won’t stop you – we’ll just enforce that you’re clear about that in your code. That prevents someone on a deadline from using a potentially unsafe setting because it was easier to setup, and also makes it easier for code reviewers to spot during a security review.