NGWS SDK Documentation  

This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!

Policy for application domains

Application domains are the unit of execution for single applications (this is a simplification for this discussion only). The fundamental goal of security on application domains is to ensure that code in the domain runs with restrictions appropriate to the domain, and that it cannot interact with applications in other domains (which in the case of managed code includes the case of being in the same process) except through well-defined interfaces to services and resource. For example use of the File object allows one domain to affect another on the same system; we strive for isolation of domains other than through this sort of service.

The prime motivation for this feature is to support the web browser security model. On the web, the DNS site name of a page (so-called “DOCBASE”) corresponds to the “application”. On a given page there may be a component such as an ActiveX control that may be downloaded from a different web site (so-called “CODEBASE”). By running the component (CODEBASE) in a domain with associated permissions derived from the application (DOCBASE), the system ensures that if these have different permissions only the lesser – the intersection – will apply.