Added security update for CAS in ClickOnce

Mikejo5000 · Mikejo5000 · commit e1ff3e6d5393 · 2025-04-25T11:05:33.000-07:00
diff --git a/docs/deployment/accessing-local-and-remote-data-in-clickonce-applications.md b/docs/deployment/accessing-local-and-remote-data-in-clickonce-applications.md
@@ -74,6 +74,8 @@ Most applications consume or produce data. ClickOnce gives you a variety of opti
 
  Isolated Storage works in all versions of the .NET Framework. Isolated Storage also works in partially trusted applications without the need for additional permission grants. You should use Isolated Storage if your application must run in partial trust, but must maintain application-specific data.
 
+ [!INCLUDE[ndptecclick](../deployment/includes/code-access-security-partial-trust.md)]
+
  For more information, see [Isolated Storage](/dotnet/standard/io/isolated-storage).
 
 ### Other local files
diff --git a/docs/deployment/clickonce-security-and-deployment.md b/docs/deployment/clickonce-security-and-deployment.md
@@ -47,7 +47,7 @@ ClickOnce is a deployment technology that enables you to create self-updating Wi
 ### Code access security
  Code access security helps limit the access that code has to protected resources. In most cases, you can choose the Internet or Local Intranet zones to limit the permissions. Use the **Security** page in the **Project Designer** to request the zone appropriate for the application. You can also debug applications with restricted permissions to emulate the end-user experience. For more information, see [Code access security for ClickOnce applications](../deployment/code-access-security-for-clickonce-applications.md).
 
- [!INCLUDE[ndptecclick](../deployment/includes/dotnet-feature-unsupported.md)]
+ [!INCLUDE[ndptecclick](../deployment/includes/code-access-security.md)]
 
 ### ClickOnce trust prompt
  If the application requests more permissions than the zone allows, the end user can be prompted to make a trust decision. The end user can decide if ClickOnce applications such as Windows Forms applications, Windows Presentation Foundation applications, console applications, XAML browser applications, and Office solutions are trusted to run. For more information, see [How to: Configure the ClickOnce trust prompt behavior](../deployment/how-to-configure-the-clickonce-trust-prompt-behavior.md).
diff --git a/docs/deployment/code-access-security-for-clickonce-applications.md b/docs/deployment/code-access-security-for-clickonce-applications.md
@@ -1,7 +1,7 @@
 ---
 title: "Code Access Security for ClickOnce Applications"
 description: Explore code access security for ClickOnce applications and how to configure the code access security permissions in Visual Studio.
-ms.date: "11/04/2016"
+ms.date: "04/25/2025"
 ms.topic: "conceptual"
 f1_keywords:
   - "vb.XBAPProjectPropertiesSecurity.HowTo"
@@ -29,7 +29,7 @@ ClickOnce applications are based on the .NET Framework and are subject to code a
 
  Code access security is a mechanism in the .NET Framework that helps limit the access that code has to protected resources and operations. You should configure the code access security permissions for your ClickOnce application to use the zone appropriate for the location of the application installer. In most cases, you can choose the **Internet** zone for a limited set of permissions or the **Local Intranet** zone for a greater set of permissions.
 
-[!INCLUDE[ndptecclick](../deployment/includes/dotnet-feature-unsupported.md)]
+ [!INCLUDE[ndptecclick](../deployment/includes/code-access-security.md)]
 
 ## Default ClickOnce code access security
  By default, a ClickOnce application receives Full Trust permissions when it is installed or run on a client computer.
diff --git a/docs/deployment/how-to-enable-clickonce-security-settings.md b/docs/deployment/how-to-enable-clickonce-security-settings.md
@@ -1,7 +1,7 @@
 ---
 title: Enable & configure ClickOnce security
 description: Learn how the Publish wizard automatically enables code access security for ClickOnce applications to publish the application.
-ms.date: 08/04/2023
+ms.date: 04/25/2025
 ms.topic: how-to
 dev_langs: 
   - VB
@@ -20,7 +20,7 @@ ms.subservice: deployment
 
 You can enable and configure ClickOnce security settings in the **Security** page of the **Project Designer**. In this article, you learn how to enable security settings, configure security zones, and configure customized security zones.
 
- [!INCLUDE[ndptecclick](../deployment/includes/dotnet-task-unsupported.md)]
+ [!INCLUDE[ndptecclick](../deployment/includes/code-access-security.md)]
 
 ## Enable ClickOnce security settings
 
diff --git a/docs/deployment/how-to-specify-where-visual-studio-copies-the-files.md b/docs/deployment/how-to-specify-where-visual-studio-copies-the-files.md
@@ -288,6 +288,8 @@ While Visual Studio, *Mage.exe*, and *MageUI.exe* can all be used to generate Cl
 
 The support URL isn't displayed on the dialog box if the application is marked to run in partial trust.
 
+ [!INCLUDE[ndptecclick](../deployment/includes/code-access-security-partial-trust.md)]
+
 ## Change the publish language for a ClickOnce application
 
 When publishing a ClickOnce application, the user interface displayed during installation defaults to the language and culture of your development computer. If you're publishing a localized application, you'll need to specify a language and culture to match the localized version. This is determined by the `Publish language` property for your project.
diff --git a/docs/deployment/includes/code-access-security-partial-trust.md b/docs/deployment/includes/code-access-security-partial-trust.md
@@ -0,0 +1,12 @@
+---
+title: Visual Studio ClickOnce partial trust and code access security
+author: mikejo5000
+description: Learn about partial trust and Code Access Security support in ClickOnce
+ms.author: mikejo
+ms.date: 04/25/2025
+ms.subservice: deployment
+ms.topic: include
+---
+
+> [!NOTE]
+> In ClickOnce for .NET Core and .NET 5 or later, partial trust, which requires Code Access Security, is unsupported. In .NET Framework, the use of Code Access Security is not recommended.
diff --git a/docs/deployment/includes/code-access-security.md b/docs/deployment/includes/code-access-security.md
@@ -0,0 +1,12 @@
+---
+title: Visual Studio ClickOnce code access security
+author: mikejo5000
+description: Learn about Code Access Security support in ClickOnce
+ms.author: mikejo
+ms.date: 04/25/2025
+ms.subservice: deployment
+ms.topic: include
+---
+
+> [!NOTE]
+> In ClickOnce for .NET Core and .NET 5 or later, Code Access Security is unsupported. In .NET Framework, the use of Code Access Security is not recommended.
diff --git a/docs/deployment/securing-clickonce-applications.md b/docs/deployment/securing-clickonce-applications.md
@@ -39,7 +39,7 @@ ClickOnce applications are subject to code access security constraints in the .N
 ## Code access security policies
  Permissions for an application are determined by the settings in the [\<trustInfo> Element](../deployment/trustinfo-element-clickonce-application.md) element of the application manifest. Visual Studio automatically generates this information based on the settings on the project's **Security** property page. A ClickOnce application is granted only the specific permissions that it requests. For example, where file access requires full-trust permissions, if the application requests file-access permission, it will only be granted file-access permission, not full-trust permissions. When developing your ClickOnce application, you should make sure that you request only the specific permissions that the application needs. In most cases, you can use the Internet or Local Intranet zones to limit your application to partial trust. For more information, see [How to: Set a security zone for a ClickOnce application](../deployment/how-to-enable-clickonce-security-settings.md#set-a-security-zone-for-a-clickonce-application). If your application requires custom permissions, you can create a custom zone. For more information, see [How to: Set custom permissions for a ClickOnce application](../deployment/how-to-enable-clickonce-security-settings.md#set-custom-permissions-for-a-clickonce-application).
 
- [!INCLUDE[ndptecclick](../deployment/includes/dotnet-feature-unsupported.md)]
+ [!INCLUDE[ndptecclick](../deployment/includes/code-access-security.md)]
 
  Including a permission that isn't part of the default permission set for the zone from which the application is deployed will cause the end user to be prompted to grant permission at install or update time. To prevent users from being prompted, a system administrator can specify a ClickOnce deployment policy that defines a specific application publisher as a trusted source. On computers where this policy is deployed, permissions will automatically be granted and the user won't be prompted.
 
diff --git a/docs/deployment/security-versioning-and-manifest-issues-in-clickonce-deployments.md b/docs/deployment/security-versioning-and-manifest-issues-in-clickonce-deployments.md
@@ -41,6 +41,8 @@ If you're developing an application that requires administrator permissions for
 
 If your ClickOnce application runs online instead of through an installation, it must fit within the quota set aside for online applications. Also, a network application that runs in partial trust, such as with a restricted set of security permissions, can't be larger than half of the quota size.
 
+ [!INCLUDE[ndptecclick](../deployment/includes/code-access-security-partial-trust.md)]
+
 For more information, and instructions about how to change the online application quota, see [ClickOnce cache overview](../deployment/clickonce-cache-overview.md).
 
 ## Versioning issues
