System.Security.Policy.NetCodeGroup Class

Grants Web permission to the site from which the assembly was downloaded. This class cannot be inherited.

See Also: NetCodeGroup Members


public sealed class NetCodeGroup : CodeGroup


Code groups are the building blocks of code access security policy. Each policy level consists of a root code group that can have one or more child code groups. Each child code group can have its own child code groups; this behavior extends to any number of levels, forming a tree. Each code group has a membership condition that determines if a given assembly belongs to the group, based on the evidence for that assembly. Only code groups whose membership conditions match a given assembly, along with their child code groups, apply code access security policy.

System.Security.Policy.NetCodeGroup has the same merge semantics as that of System.Security.Policy.UnionCodeGroup; it forms the union of the System.Security.Policy.PolicyStatement objects of all matching child code groups and the System.Security.Policy.PolicyStatement it generates from the input System.Security.Policy.Url evidence. However, System.Security.Policy.NetCodeGroup returns a permission containing a dynamically calculated System.Net.WebPermission that grants connect access to the site from which the code is run; System.Security.Policy.UnionCodeGroup simply returns a static permission set.

When a System.Security.Policy.NetCodeGroup is created, it contains the default connection access rules shown in the following table.


No connection access to the origin server is permitted.


HTTP and HTTPS access is permitted using the origin port.


HTTPS access is permitted using the origin port.

You can control the scheme and port that code is permitted to use when connecting back to its site of origin by passing a System.Security.Policy.CodeConnectAccess object with the appropriate CodeConnectAccess.Scheme and CodeConnectAccess.Port property values to the NetCodeGroup.AddConnectAccess(string, CodeConnectAccess) method. You can create a connection access rule that applies when the origin scheme is not present in the evidence or is not recognized by specifying NetCodeGroup.AbsentOriginScheme ("") as the scheme. You can also create a connection access rule that applies when there is no connection access rule with a matching scheme by specifying NetCodeGroup.AnyOtherOriginScheme ("*") as the scheme.


If code does not submit the URI scheme as evidence, access is permitted using any scheme back to the origin site.


Namespace: System.Security.Policy
Assembly: mscorlib (in mscorlib.dll)
Assembly Versions: 1.0.5000.0,,