Microsoft Web Sandbox
Welcome to the Microsoft Web Sandbox technology preview—a solution for securing web content through isolation.
Today web gadgets, mashup components, advertisements, and other 3rd party content on websites either run with full trust alongside your content or are isolated inside of IFrames. As a result, many modern web applications are intrinsically insecure, often with unpredictable service quality. Live Labs Web Sandbox addresses this problem.
We need your help advancing the technology.
What's new?
Two Extensibility Demos
We now have two demos that illustrate different approaches for extending Gadgets. Our newest Shared Library Demo shows how to secure an existing untrusted library and attach it to any existing sandbox without modification. In this demo, a simple hover effect library is exposed to all Gadgets.
This complements the existing Map Gadget Demo that illustrates how to safely expose a trusted library to your unstrusted code via a custom policy. In the Map demo, we expose APIs that allow you to safely manipulate a shared Virtual Earth Map control. You can use this same technique to provide safe access to any API enabling you to create a secure, customaizable, extensibility experience for your site.
Watch Scott Isaacs at Mix 09
The Microsoft Web Sandbox: An Open Source Framework for Developing Secure Standards-Based Web Applications
Hear a discussion about key challenges with Web security today and how the Microsoft Web Sandbox is addressing these challenges by virtualizing both script execution and the DOM. Learn about the Web Sandbox open source framework that runs on all modern browsers and builds on the ongoing ECMA TC-39 security working group efforts.
Web Sandbox Open Source License
The source code for the Web Sandbox JavaScript library is available under the Open Source Apache License 2.0.
Since the initial release of Web Sandbox we have received a great deal of feedback from the web security community. We have also been collaborating with a number of customers, partners and the standards communities that would like to adopt the technology when it is ready. Our goal is to achieve widespread adoption of Web Sandbox and to help foster interoperability with complementary technologies like script frameworks.
(Note: While we are using an Apache License, the Web Sandbox project is not sponsored or endorsed by the Apache Software Foundation and is not an ASF project.)
--
We frequently update the Web Sandbox with bug fixes and improvements. Track the latest changes .jpg){kind=small}
in the general discussion forum.
History
The Web Sandbox builds upon Microsoft’s experience with DHTML, Windows Live web-based gadgets, and the Microsoft Research BrowserShield project which pioneered JavaScript virtualization through rewriting. Live Labs worked with individuals and groups across Microsoft to build the technology preview announced at PDC 2008. Since then, we have open-sourced the framework and are partnering with other industry leaders to evolve Web Sandbox into an industry-wide solution.
How can you help?
We want you to get involved. We created a cross-browser JavaScript virtualization layer that provides a secure standards-based programming model without requiring any add-ons. We are not done yet. We need your help: experiment with the Sandbox and make sure it works. We've included a set of samples so you can try to break the Sandbox. Our goal is to provide reusable components that will allow you to secure your Web 2.0 mashups. Our goal is to work together to standardize a secure web platform.
Where do you send feedback?
We welcome your feedback in the Community Forums. We have two forums: one for general discussions and another for full disclosure of exploits.
Why are some web applications insecure?
An increasing number of Web 2.0 applications incorporate 3rd party content. There are two common patterns: via direct script inclusion or embedded in an IFrame.
- Components that are included directly execute with full trust and can access private information elsewhere on the page and site. The site is subject to intentional or non-intentional bugs that could compromise personal information or degrade the web application's quality of service.
- IFrames offer isolation but not complete security. Malicious code can try to install ActiveX controls, redirect users, interrogate your browser history, degrading the quality of service. IFrames also make it hard to provide an integrated experience and share data across components.
How do I get started?
This site allows developers to experiment with the Sandbox. We recommend you start with the documentation that contains code snippets you can quickly run within the Sandbox. You can also jump in and start experimenting with your own code. Lastly, you can try to break the sample applications provided.