Security problem when instantiating a class in intranet zone, .Net

I have a .Net 2.0 activex control that is embedded within an HTML page (in IE7). I use javascript to modify its properties and call methods. All this is fine until I call a method that instantiates a class using Activator.CreateInstance(type). I receive the following message:

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Security.SecurityException: Request failed.

..

..

The action that failed was: InheritanceDemand

The type of the first permission that failed was: System.Security.PermissionSet

The Zone of the assembly that failed was: Intranet

The class I'm trying to instantiate has a parm-less public constructor, and from what I've read, there should be no problem using reflection on types that are public anyway?

I've done a temporary fix by using the Microsoft .NET Framework Configuration utility, to modify the intranet trust to full. See here.

How can I modify the method, class, or the assembly to avoid having to configure the framework?

A few extra points:

• The activex control is compiled against .Net 2
• Its assembly is not strong named
• I'm not bothered about granting reflection permissions.

Thanks

Update

It turns out it wasn't reflection that was causing the problem, it was a call to TypeDescriptor.GetAttributes which threw a FileIOPermission security exception. I've fixed this with the following code:

Dim temp As New Security.Permissions.FileIOPermission(Security.Permissions.PermissionState.Unrestricted)
temp.Assert()
// Get attributes
System.Security.CodeAccessPermission.RevertAssert()

Now, If I set up a code group assigned to the strong name of my assembly and set the permission set to FullTrust, everything is fine.

However, I can't seem to fine-tune it, it's either FullTrust or an exception is thrown (see below). Even the Everything permission set doesn't work.

Exception:

System.Security.SecurityException: Request failed.
at System.Reflection.CustomAttribute._CreateCaObject(Void* pModule, Void* pCtor, Byte** ppBlob, Byte* pEndBlob, Int32* pcNamedArgs)
at System.Reflection.CustomAttribute.CreateCaObject(Module module, RuntimeMethodHandle ctor, IntPtr& blob, IntPtr blobEnd, Int32& namedArgs)
at System.Reflection.CustomAttribute.GetCustomAttributes(Module decoratedModul开发者_Go百科e, Int32 decoratedMetadataToken, Int32 pcaCount, RuntimeType attributeFilterType, Boolean mustBeInheritable, IList derivedAttributes)
at System.Reflection.CustomAttribute.GetCustomAttributes(RuntimeType type, RuntimeType caType, Boolean inherit)
at System.RuntimeType.GetCustomAttributes(Type attributeType, Boolean inherit)
at System.ComponentModel.ReflectTypeDescriptionProvider.ReflectGetAttributes(Type type)
at System.ComponentModel.ReflectTypeDescriptionProvider.ReflectedTypeData.GetAttributes()
at System.ComponentModel.TypeDescriptor.TypeDescriptionNode.DefaultTypeDescriptor.System.ComponentModel.ICustomTypeDescriptor.GetAttributes()
at System.ComponentModel.TypeDescriptor.GetAttributes(Object component, Boolean noCustomTypeDesc)
at System.ComponentModel.TypeDescriptor.GetAttributes(Object component)
... GetAttributes
...
The action that failed was: InheritanceDemand
The type of the first permission that failed was: System.Security.PermissionSet
The Zone of the assembly that failed was: Intranet

I would add the ReflectionPermission attribute to your AssemblyInfo.cs file for the assembly attempting to reflect into the other class, with a RequireMinimum SecurityAction.

However, be aware that all this will do is prevent your application from running in the Intranet zone, instead of running for a while, all seems fine, till the reflection happens. Asserting permissions does not mean they'll be granted, it just allows a program to "fail fast". You can demand a permission all you want; the whole basis of CAS is that it doesn't have to be granted to you.

In order to use reflection in your app or assembly, you must either provide sufficient evidence to run the assembly in a less-restrictive zone (by strongly signing it, for instance), or configure the framework to include ReflectionPermission in the Intranet permission set.

Lastly, be aware that the declarative CAS security model is largely deprecated in .NET Framework 4.0; if you try to migrate this code to .NET 4.0 at a later date you will have to change the way you assert permissions.

The class I'm trying to instantiate has a parm-less public constructor, and from what I've read, there should be no problem using reflection on types that are public anyway?

You shouldn't have a problem with invoking the constructor via reflection if both the class and the constructor are public. However, a public constructor on a non-public class would still pose a problem.

That said, given that it is an inheritance demand that failed, it sounds like the actual problem might lie elsewhere. What happens if you attempt to create a new instance of the class from your control code without using reflection?