why a simple asp.net mvc web site requires full trust
I built a really simple asp.net mvc web site (it doesn't use asp.net identity, entity framework and also it doesn't use any database). These are the references:
and the web.config
<configuration>
<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
</system.web>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="Newtonsoft.Json" culture="neutral" publicKeyToken="30ad4fe6b2a6aeed" />
<bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.Optimization" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="1.1.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="WebGrease" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="0.0.0.0-1.5.2.14234" newVersion="1.5.2.14234" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.Helpers" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.WebPages" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-5.2.3.0" newVersion="5.2.3.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
<system.codedom>
<compilers>
<compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:6 /nowarn:1659;1699;1701" />
<compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:14 /nowarn:41008 /define:_MYTYPE=\"Web\" /optionInfer+" />
</compilers>
</system.codedom>
<system.net>
<mailSettings>
<smtp deliveryMethod="Network" from="[email protected]">
<network host="smtp.domain.com" userName="[email protected]" password="password" port="25" />
</smtp>
</mailSettings>
</system.net>
</configuration>
I published it on a shared hosting server (with IIS 8.5), and got a Security Exception:
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.
The question is why this simple website requires full trust ? I don't understand, if it requires full trust than whatever asp.net mvc website should require full trust.
UPDATE: the full trust is required with the new .net framework features. I uninstalled the packages Microsoft.CodeDom.Providers.DotNetCompilerPlatform and Microsoft.Net.Compilers and now it works.
As per this post from a Microsoft employee (answered Jun 20 '13):
We are removing Medium Trust support from the frameworks we develop (MVC, WebAPI, SignalR, and so on). Going forward, applications built on these frameworks will require Full Trust.
Edit 26 May 2015: The .NET Framework as a whole has deprecated partial trust, and customers are advised not to rely on it as a security boundary.
So, it shouldn't come as a surprise that full trust is required, as partial trust is now completely obsolete.
- How can I use Dependency Injection in an ASP.NET Core ActionFilterAttribute?
- How can I display a messagebox in ASP.NET?
- Sending IMs through an API
- Get url without querystring
- Blazor components and OnInitialized() inside another method
- Icon Doesn't Appear for MAUI Blazor App on Windows if Taskbar Icons are Combined
- inserting data into SQL DB from C# ASP.NET
- string.Format with variable names instead of numbers
- RouteValueDictionary ignores empty values
- How do I get the row I clicked with a button
- Binding gridview using stored procedure
- Zip Azure Storage Files and Return File from Web API returns corrupted files when unzipped
- Drop down list that allows blank or null to be selected
- Setting Base Path using ConfigurationBuilder
- DotNetZip (Ionic.Zip.dll) doesn't work with compress Chinese File or Folder name
- An exception has been raised that is likely due to a transient failure - connect local PostgreSQL to Docker container
- What is proper RegEx expression for SWIFT codes?
- Cannot return null from an action method with a return type of 'Microsoft.AspNetCore.Mvc.IActionResult'
- How do I get the currently loggedin Windows account from an ASP.NET page?
- what URL should Kestrel listen to in a docker container on Azure App Service
- WCF MessageContract not binding to classes - MessageContract is Null in endpoint
- How do I Create Azure Static Web App with Visual Studio?
- Preventing overwriting values one from another of the same application but different windows/tabs with different ID as query string
- InvalidCastException: Unable to cast object of type 'System.Linq.OrderedEnumerable to type 'System.Collections.Generic.List
- How to transform Model-View-Presenter architecture to WebAPI?
- ASP.Net dropdownlist not returning index on selectedindexchanged event
- GetProperty("pname") returns null
- How to query data with composite partition key in CosmosDb
- How to bypass validation for a button in ASP.NET?
- How to build a working Nix package from an ASP.NET project?