Why is AllowPartiallyTrustedCallers not the default?

Question

For a .NET assembly to allow anything other than fully trusted callers the assembly must be signed and attributed with AllowPartiallyTrustedCallers.

But even with this in place the CLR still (fortunately) checks code rights to ensure that the partially trusted caller can execute the desired code.

So my question is, why is the AllowPartiallyTrustedCallers attribute not assumed for all assemblies? Why not have the opposite where those who really don't want partially trusted callers have to use some attribute like DenyPartiallyTrustedCallers?

Answer 1

Writing code that can't be called by partially trusted callers is easy. Writing code than can be called, is hard. That's why it's best to opt in and not out.

It's a big deal to have someone with less permissions call someone who has more permissions.

Some of this is discussed in more detail here: http://www.eggheadcafe.com/aspnet_answers/NETsecurity/Apr2006/post26607774.asp