Using the Site

This site allows developers to experiment with the Sandbox. There are several ways to experiment. First, as you follow along with the documentation, you can run any of the code snippets in the Sandbox. Once you feel comfortable with the Sandbox, you can write and run your code. Finally, once you understand the security model, you can try to break the sample applications provided. Which of these modes is suitable for you depends on the purpose of your experiments.

Running any sample code exercises all the components of our solution, from the transformation pipeline that injects the intercepting layer in your original source code, to the Sandbox where the code executes, to the policies that determine what your code can and cannot do.

Client, Server, or Cloud-based Transformation

We insert the intercepting layer through a code transformation. By default this transformation executes server side, on our servers. Two additional options are available. If Silverlight is installed the transformation could execute client-side, thus saving the round-trip to the server. The transformation could also execute in the cloud, on the Azure Services Platform Community Technology Preview. (Note that the Azure transformation is enabled only when the gadget code is specified via a URL.)

The three options use the same codebase. The platform helped us extend the implementation, initially targeted at our server, to first cover the browser, and then to cover the cloud. Consequently, regardless of where it is hosted, the transformation should have the same result. You can choose which approach to use via the appropriate checkbox on the Sandbox experimentation pages.

Transform Engine Options Screenshot

Code Snippets

The Sandbox documentation contains embedded code snippets. The code snippets help you understand the security model. They focus on individual aspects, such as the ability to disable long-running code, and so on. Next to each snippet there is a "Run in Sandbox" button. Clicking this button opens a new browser window where the snippet executes in the Sandbox.


Once the Sandbox experiment page comes up you can modify and add the modified code to the page with a click of a button. You can also Pause, Clone, Reload or Remove the code.

Creating Gadgets Screenshot

As the Sandbox virtualizes the execution of each code snippet, these functions perform exactly what their name implies. Pause suspends the execution of the code snippet, turning the status indicator from green to yellow. The state freezes and the Pause button morphs into Resume, which when selected resumes the execution.

Sandboxed Gadgets Screenshot

Clone creates and executes an identical instance of the code; the Sandbox isolates each instance from the others. Use Reload to enable code disabled by the Sandbox--signaled by a red status indicator. Remove is self-explanatory.

Writing Gadgets

Another way of experimenting with the Sandbox is by writing gadgets. You can do it inline by filling out a simple HTML document template in the Sandbox experiment page. The template clearly indicates the places for CSS, JavaScript, and HTML code. Alternatively you could upload code from an URL.

Creating Gadgets Screenshot

Regardless of how you provide your gadget code, we first inject the intercepting layer and then execute it in the Sandbox. The experiment page offers the same options as for code snippets: server or client-based transformation, Pause/Resume, Clone, Reload and Remove controls.

Sample Applications

After experimenting with the code snippets and building our own gadgets we can try to break out of the Sandbox. To facilitate that the site provides several sample applications. They run in the browser as trusted code, outside the Sandbox. We can inject source code and request it to be executed as untrusted code (i.e., Sandboxed), alongside these samples. The sample applications suggest a few ways to interfere with them, such as modifying the displayed values, extracting sensitive content, crashing, and so on.

Stock Sample Screenshot

Debug Mode

The Sandbox currently disables the debugger JavaScript keyword. You can enable debugging by appending ?debug=true to any of the sample page URLs. This loads the Sandbox engine uncompressed, disables quality of service detection, and allows you to more easily debug your code.