Making Web Requests in Medium Trust

Trust levels in web development can be a pain in the rear. As a developer, I tend to not like them, because when they’re important it means that my options are being restricted. I am often required to perform extra work to complete the same tasks I would be performing elsewhere.

Medium trust is the trust level commonly used by web hosting companies, because it gives them a good balance of security and options. Ideally, as a programmer I can work in full trust, which allows me to do pretty much anything I want. That is, however, not at all what shared hosting requires. They need some extra added security.

Generally we develop for medium trust when we are either on a medium trust hoster or are working on a program which could be hosted in many places (including shared hosting).

For a project on which I am currently working, we needed to bypass some restrictions of medium trust to allow us to make an external request to a web service on another domain. Doing this will cause a security exception at run time. Keep in mind that the trust level can be violated when the site compiles, because certain things cannot be used at all in medium trust. In this case, it is our external service which caused the issue. I believe you could also have an issue if you’re running a web farm.

So how do we get around it?

We need to set up our trust element in the web.config file and hope that the hosting company is not overriding the use of this work-around. If the hoster is blocking this trick then you will want to see if you can resolve the issue using proxies. Some hosting companies will work with you to get your application running as long as it is not a security risk for them.

The key is the “originUrl” property of the trust element. We need to set that using a regular expression to define which URL we want to use. You should try to be more specific with the regular expression, but “.*” is still OK. That one will basically say any combination of any characters is OK. If we want to be more specific we might say that since our web service calls are all on the same domain we could use something like this “*”, and this would allow anything on that site.

<trust level="Medium" originUrl=".*" />
<!-- or this -->
<trust level="Medium" originUrl="*" />

If you need it, you can use this Regular Expression Cheat Sheet and this Regular Expression Tester.