Skip to content

Remove .NET Framework remarks (System.Security.Policy) #12681

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gewarren wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Remove .NET Framework remarks (System.Security.Policy) #12681

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ea0881b
Remove .NET Framework remarks
gewarren May 29, 2026
62a5283
Apply suggestions from code review
gewarren May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 16 additions & 23 deletions xml/System.Security.Policy/ApplicationDirectory.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,14 +34,7 @@
<Interfaces />
<Docs>
<summary>Provides the application directory as evidence for policy evaluation. This class cannot be inherited.</summary>
<remarks>
<format type="text/markdown"><![CDATA[

## Remarks
The domain host can associate a file directory with an application domain. The evidence for policy evaluation is provided only when the application domain is associated with a file directory.

]]></format>
</remarks>
<remarks>The domain host can associate a file directory with an application domain. The evidence for policy evaluation is provided only when the application domain is associated with a file directory.</remarks>
</Docs>
<Members>
<Member MemberName=".ctor">
Expand Down Expand Up @@ -78,11 +71,11 @@
<param name="name">The path of the application directory.</param>
<summary>Initializes a new instance of the <see cref="T:System.Security.Policy.ApplicationDirectory" /> class.</summary>
<remarks>
<format type="text/markdown"><![CDATA[
## Remarks
Application code does not need to create instances of this class.
<format type="text/markdown"><![CDATA[

## Remarks
Application code does not need to create instances of this class.

]]></format>
</remarks>
<exception cref="T:System.ArgumentNullException">The <paramref name="name" /> parameter is <see langword="null" />.</exception>
Expand Down Expand Up @@ -200,11 +193,11 @@
<returns>
<see langword="true" /> if the two instances are equivalent; otherwise, <see langword="false" />.</returns>
<remarks>
<format type="text/markdown"><![CDATA[
## Remarks
The directory values of the two instances must match exactly. Equivalent noncanonical paths are not resolved. For example, C:\app and C:\temp\\...\app are not equal directory values.
<format type="text/markdown"><![CDATA[

## Remarks
The directory values of the two instances must match exactly. Equivalent noncanonical paths are not resolved. For example, C:\app and C:\temp\\...\app are not equal directory values.

]]></format>
</remarks>
</Docs>
Expand Down Expand Up @@ -281,11 +274,11 @@
<summary>Gets a string representation of the state of the <see cref="T:System.Security.Policy.ApplicationDirectory" /> evidence object.</summary>
<returns>A representation of the state of the <see cref="T:System.Security.Policy.ApplicationDirectory" /> evidence object.</returns>
<remarks>
<format type="text/markdown"><![CDATA[
## Remarks
This method is useful during debugging to get an easy-to-read representation of the object.
<format type="text/markdown"><![CDATA[

## Remarks
This method is useful during debugging to get an easy-to-read representation of the object.

]]></format>
</remarks>
</Docs>
Expand Down
4 changes: 0 additions & 4 deletions xml/System.Security.Policy/ApplicationTrust.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,8 +183,6 @@

[!INCLUDE[cas-deprecated](~/includes/cas-deprecated.md)]

`fullTrustAssemblies` identifies strong-named assemblies within the <xref:System.AppDomain> that are to be granted full trust. This constructor is called by the <xref:System.AppDomain.CreateDomain*?displayProperty=nameWithType> method to create an <xref:System.AppDomain> that will be used as a sandbox. For more information about running an application in a sandbox, see [How to: Run Partially Trusted Code in a Sandbox](/dotnet/framework/misc/how-to-run-partially-trusted-code-in-a-sandbox).

]]></format>
</remarks>
<exception cref="T:System.ArgumentNullException">
Expand Down Expand Up @@ -414,8 +412,6 @@ The <xref:System.Security.ISecurityPolicyEncodable.ToXml*> and <xref:System.Secu

[!INCLUDE[cas-deprecated](~/includes/cas-deprecated.md)]

The list identifies assemblies that are to be granted full trust within the <xref:System.AppDomain> that is associated with this <xref:System.Security.Policy.ApplicationTrust> instance. The assemblies are identified by their strong names.

]]></format>
</remarks>
</Docs>
Expand Down
181 changes: 17 additions & 164 deletions xml/System.Security.Policy/CodeGroup.xml
View file
Open in desktop

Large diffs are not rendered by default.

37 changes: 16 additions & 21 deletions xml/System.Security.Policy/EvidenceBase.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,17 +44,12 @@
<Docs>
<summary>Provides a base class from which all objects to be used as evidence must derive.</summary>
<remarks>
<format type="text/markdown"><![CDATA[

## Remarks
Before the .NET Framework 4, almost any object could be used as an evidence object if the hosting code wanted to apply it as evidence. For example, some .NET Framework code recognized <xref:System.Uri?displayProperty=nameWithType> objects as evidence. The common language runtime (CLR) considered evidence objects as <xref:System.Object?displayProperty=nameWithType> references, and did not apply any type safety to them.

This presented a problem because there were implicit restrictions on which types could be used as evidence objects. Specifically, any object used as evidence had to be serializable and could not be `null`. If these requirements were not met, the CLR threw an exception whenever an operation that required one of these assumptions was performed.

The <xref:System.Security.Policy.EvidenceBase> class, which all evidence objects must derive from, was introduced in the .NET Framework 4 to enable constraints on the types of objects that can be used as evidence and to provide the ability to add new features and requirements to all evidence objects. The <xref:System.Security.Policy.EvidenceBase> class ensures, upon instantiation, that the evidence object is serializable. In addition, it enables new evidence requirements to be created by adding new default implementations to the base class.

All the types used by the CLR as evidence objects have been updated in the .NET Framework 4 to derive from <xref:System.Security.Policy.EvidenceBase>.

<format type="text/markdown"><![CDATA[

## Remarks

The <xref:System.Security.Policy.EvidenceBase> class, which all evidence objects must derive from, enables constraints on the types of objects that can be used as evidence, and provides the ability to add new features and requirements to all evidence objects. The <xref:System.Security.Policy.EvidenceBase> class ensures, upon instantiation, that the evidence object is serializable. In addition, it enables new evidence requirements to be created by adding new default implementations to the base class.

]]></format>
</remarks>
</Docs>
Expand Down Expand Up @@ -91,11 +86,11 @@
<Docs>
<summary>Initializes a new instance of the <see cref="T:System.Security.Policy.EvidenceBase" /> class.</summary>
<remarks>
<format type="text/markdown"><![CDATA[
## Remarks
All objects to be used as evidence must be serializable. You must mark any derived types as serializable, because the serializable attribute does not propagate to derived classes.
<format type="text/markdown"><![CDATA[

## Remarks
All objects to be used as evidence must be serializable. You must mark any derived types as serializable, because the serializable attribute does not propagate to derived classes.

]]></format>
</remarks>
<exception cref="T:System.InvalidOperationException">An object to be used as evidence is not serializable.</exception>
Expand Down Expand Up @@ -139,11 +134,11 @@
<summary>Creates a new object that is a complete copy of the current instance.</summary>
<returns>A duplicate copy of this evidence object.</returns>
<remarks>
<format type="text/markdown"><![CDATA[
## Remarks
The duplicate copy is a complete copy that includes all the evidence objects in the collection.
<format type="text/markdown"><![CDATA[

## Remarks
The duplicate copy is a complete copy that includes all the evidence objects in the collection.

]]></format>
</remarks>
</Docs>
Expand Down
59 changes: 5 additions & 54 deletions xml/System.Security.Policy/FileCodeGroup.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,12 +47,6 @@

[!INCLUDE[cas-deprecated](~/includes/cas-deprecated.md)]

Code groups are the building blocks of code access security policy. Each policy level consists of a root code group that can have child code groups. Each child code group can have their own child code groups; this behavior extends to any number of levels, forming a tree. Each code group has a membership condition that determines if a given assembly belongs to it based on the evidence for that assembly. Only code groups whose membership conditions match a given assembly and their child code groups apply policy.

<xref:System.Security.Policy.FileCodeGroup> has the same child matching semantics as <xref:System.Security.Policy.UnionCodeGroup>. However, <xref:System.Security.Policy.FileCodeGroup> returns a permission set containing a dynamically-calculated <xref:System.Security.Permissions.FileIOPermission> that grants file access to the directory from which the code is run; <xref:System.Security.Policy.UnionCodeGroup> only returns a static permission set. The type of file access granted is passed as a parameter to the constructor.

This code group only matches assemblies run over a file protocol, that is, assemblies that have URLs that point to a file or UNC path.

]]></format>
</remarks>
</Docs>
Expand Down Expand Up @@ -92,16 +86,7 @@
<param name="membershipCondition">A membership condition that tests evidence to determine whether this code group applies policy.</param>
<param name="access">One of the <see cref="T:System.Security.Permissions.FileIOPermissionAccess" /> values. This value is used to construct the <see cref="T:System.Security.Permissions.FileIOPermission" /> that is granted.</param>
<summary>Initializes a new instance of the <see cref="T:System.Security.Policy.FileCodeGroup" /> class.</summary>
<remarks>
<format type="text/markdown"><![CDATA[

## Remarks
This constructor creates a basic code group. Child code groups can be added with the <xref:System.Security.Policy.CodeGroup.AddChild*> method.

<xref:System.Security.Policy.FileCodeGroup> returns a permission set containing a dynamically-calculated <xref:System.Security.Permissions.FileIOPermission> that grants file access to the directory from which the code is run. The type of access granted is determined by the `access` parameter.

]]></format>
</remarks>
<remarks>To be added.</remarks>
Comment thread
gewarren marked this conversation as resolved.
Comment thread
gewarren marked this conversation as resolved.
Comment thread
gewarren marked this conversation as resolved.
<exception cref="T:System.ArgumentNullException">The <paramref name="membershipCondition" /> parameter is <see langword="null" />.</exception>
<exception cref="T:System.ArgumentException">The type of the <paramref name="membershipCondition" /> parameter is not valid.

Expand Down Expand Up @@ -143,14 +128,7 @@
<Docs>
<summary>Gets a string representation of the attributes of the policy statement for the code group.</summary>
<value>Always <see langword="null" />.</value>
<remarks>
<format type="text/markdown"><![CDATA[

## Remarks
<xref:System.Security.Policy.FileCodeGroup> does not use <xref:System.Security.Policy.FileCodeGroup.AttributeString*>, so this property is always `null`.

]]></format>
</remarks>
<remarks>To be added.</remarks>
</Docs>
</Member>
<Member MemberName="Copy">
Expand Down Expand Up @@ -187,14 +165,7 @@
<Docs>
<summary>Makes a deep copy of the current code group.</summary>
<returns>An equivalent copy of the current code group, including its membership conditions and child code groups.</returns>
<remarks>
<format type="text/markdown"><![CDATA[

## Remarks
This method makes a deep copy of the code group, so that copies of all objects the code group contains are also made.

]]></format>
</remarks>
<remarks>To be added.</remarks>
</Docs>
</Member>
<Member MemberName="CreateXml">
Expand Down Expand Up @@ -466,18 +437,7 @@
<param name="evidence">The evidence for the assembly.</param>
<summary>Resolves policy for the code group and its descendants for a set of evidence.</summary>
<returns>A policy statement consisting of the permissions granted by the code group with optional attributes, or <see langword="null" /> if the code group does not apply (the membership condition does not match the specified evidence).</returns>
<remarks>
<format type="text/markdown"><![CDATA[

## Remarks
Given evidence for an assembly to be loaded, this method evaluates the code group by first checking the membership condition against the specified evidence. If there is a match, this method returns a policy statement for the code group, including evaluation of child code groups.

The .NET Framework security system uses <xref:System.Security.Policy.FileCodeGroup.Resolve*> on the policy levels to determine which permissions to grant to loaded code from the resulting policy statements and the code request on the assembly.

<xref:System.Security.Policy.FileCodeGroup> uses union semantics and forms a permission set based on the <xref:System.Security.Policy.Url> specified by `evidence`.

]]></format>
</remarks>
<remarks>To be added.</remarks>
<exception cref="T:System.ArgumentNullException">The <paramref name="evidence" /> parameter is <see langword="null" />.</exception>
<exception cref="T:System.Security.Policy.PolicyException">The current policy is <see langword="null" />.

Expand Down Expand Up @@ -523,16 +483,7 @@
<param name="evidence">The evidence for the assembly.</param>
<summary>Resolves matching code groups.</summary>
<returns>A <see cref="T:System.Security.Policy.CodeGroup" /> that is the root of the tree of matching code groups.</returns>
<remarks>
<format type="text/markdown"><![CDATA[

## Remarks
Given evidence for an assembly to be loaded, this method evaluates the code group by first checking the membership condition against the specified evidence. If there is a match, this method returns a root code group. The code group that is returned contains child code groups, which in turn can have child code groups as necessary to reflect the complete set of code groups that were matched by the evidence provided.

<xref:System.Security.Policy.FileCodeGroup> uses union semantics and forms a permission set based on the <xref:System.Security.Policy.Url> specified by `evidence`.

]]></format>
</remarks>
<remarks>To be added.</remarks>
<exception cref="T:System.ArgumentNullException">The <paramref name="evidence" /> parameter is <see langword="null" />.</exception>
</Docs>
</Member>
Expand Down
Loading
Loading