Corey Roth [MVP]

When it comes to development, the introduction of the application model overshadows many of the other new things happening in SharePoint 2013 development.  I noticed one particular change as I was working on a new slide deck regarding the change to the default trust level of a web application.  In SharePoint 2007 and SharePoint 2010, the Trust element was set to a value of WSS_Minimal.  Effectively what this did was it meant that any DLL deployed to the web application bin folder was untrusted.  This meant your code had to either run in the GAC (giving it full trust) or you had to specify Code Access Security (CAS) policies to enable partial trust.  CAS policies were quite complicated and most SharePoint developers did not know how to implement them.  However, in the 2007 days I was a big fan of them and got many developers started with this blog post and later with this post for SharePoint 2010.

In SharePoint 2013 Preview, this changes.  The trust level is now set to Full. 

According to the very little information I have found on the topic this is due to the fact that .NET 4.0 has a new CAS model.  The legacyCasModel attribute is set to true to enable previously written code with CAS policies to still function.  What this means is that code can now be deployed to the bin folder (which is faster) and it will have the same permissions as if deployed to the GAC.  Now what this means from a security stand point is up for debate I am sure.  However when Visual Studio 2010 came out everyone started deploying to the GAC any ways since it was just so much easier.  In reality, it probably doesn’t affect things much in the scheme of things.  Of course if you are developing sandboxed solutions or for the new app model this makes little difference to you.  I still thought it was an interesting change.