Document correct serialization of exceptions in security-transparent assemblies

[fschmied]

When implementing exceptions with state, it's necessary to implement serialization in order to allow such exceptions to pass AppDomain boundaries. Up to .NET 4, this was done simply by overriding GetObjectData and providing a deserialization constructor.

Starting with .NET 4 and its security model, this is no longer possible with assemblies that have the AllowPartiallyTrustedCallersAttribute. As these are loaded to be security-transparent, they cannot override GetObjectData. .NET 4 therefore added Exception.SerializeObjectState (https://docs.microsoft.com/de-de/dotnet/api/system.exception.serializeobjectstate?view=netframework-4.7.1), thus defining a new pattern for serializable exceptions.

This new pattern is however insufficiently documented. It should be explained in the "Remarks" sections of both the System.Exception class (https://docs.microsoft.com/de-de/dotnet/api/system.exception?view=netframework-4.7.1) and the Exception.GetObjectData method (https://docs.microsoft.com/de-de/dotnet/api/system.exception.getobjectdata?view=netframework-4.7.1#System_Exception_GetObjectData_System_Runtime_Serialization_SerializationInfo_System_Runtime_Serialization_StreamingContext_).

[mairaw]

Thanks @fschmied. @ViktorHofer would you be the right person to discuss this proposal?

[ViktorHofer]

Thanks for the ask. You are absolutely right, Exception.SerializeObjectState is something more recent and used by the Desktop framework. In Core we don't have that at all as we don't support Code Access Security or multiple AppDomains anymore. Therefore the ask for documenting this would only apply to the Desktop framework. This isn't currently very high on my todo list.

[mairaw]

Thanks @ViktorHofer. We've added this as P2 into our backlog so the prioritization is correct.