Microsoft Web Sandbox

Welcome to the Microsoft Web Sandbox technology preview—a solution for securing web content through isolation.

Today web gadgets, mashup components, advertisements, and other 3rd party content on websites either run with full trust alongside your content or are isolated inside of IFrames. As a result, many modern web applications are intrinsically insecure, often with unpredictable service quality. The Web Sandbox addresses this problem.

What's new?

December 16, 2010

The WebSandbox is more than just a security technology. Enabling secure third party content allows the creation of richer and more powerful interactive scenarios. Today, Microsoft Hotmail announced the next evolution of e-mail with their ActiveViews platform. With Active Views, e-mails now have ability to contain and execute JavaScript. For user’s, e-mail becomes a more engaging and interactive experience. For Hotmail, the WebSandbox technology secures the Active Views platform by protecting both the user and experience from malicious and accidental errors.

Please see the Windows Live blog for more information and enjoy the next innovation in e-mail.

November 3, 2010

Our new domain, http://www.websandbox.org is now active. Websandbox.livelabs.com will be decomissioned in the very near future.

The sandbox was updated with bug fixes.

October 1, 2010

This update focused mostly on improving the XML Dom support.

  • Added get/set/hasAttribute (including NS variation), normalize, and hasChildNodes to XML Element.
  • Added textContent property to XML Element (on supported browsers).
  • The XML DOM tree is now fully read/write with support for createElement, createTextNode, appendChild, insertBefore, replaceChild, removeChild, and cloneNode.
  • Added item method to the XML NodeList.
  • Fixed IE issue with "background: transparent" where additional CSS properties were getting overidden.
  • Fixed bug with form input elements not getting the proper default value when reset.

September 14, 2010

More bug fixes and API improvements:

  • Added support for the Element Traversal Spec
  • XML DOM Fixes: selectNodes support in IE and getElementsByTagName.
  • Fixed typo with the stopPropagation method.
  • Fix return false to event handlers on hyperlinks.
  • Support for tabIndex values 0 and 1.
  • Support for pageXOffset and pageYOffset (on appropriate browsers).
  • Fixed issue with new Image() and calculating image sizes.
  • Fixed sequencing issue where accessing currentStyle property made the style object read-only.
  • Protection preventing sandboxed code nested in a form from submitting the form.
  • Improved support for the in operator against the window and document objects.
  • Added support for the parentWindow property to the document object.

August 11, 2010

This update focuses on a few performance issues.

  • Only initialize the window once, not for each sandbox instance.
  • Fix to work-around WebKit's CSS DOM performance issues (huge performance improvement).
  • Fix global stylesheet clean-up.
  • Fix to more accurately test that a method is natively implemented versus defined by the Host Page (reduces potential for conflict between the sandbox and outer page).

July 21, 2010

This is a fairly large update to improve support for common web frameworks and libraries. Below highlights a few of the fixes

  • Fixes for input elements including <button type="..."> support and IE's document.createElement("<tag property='value'>") syntax.
  • Added support for getComputedStyle(element,null).getPropertyValue.memberName.
  • NamedNodeMaps can access members by member name (similar to the fix for getComputedStyle above).
  • Fixed support for cancelling a hyperlinks default action by returning false to the event.
  • Executing a regular expression against a regular expression type now works.
  • Fixed issues with prototype inheritance. This should fix the extend pattern used by most frameworks.
  • Event object fixes including relatedTarget and added custom property support to the event object.
  • Support for hasOwnProperty method.
  • Default value of calculated opacity is now 1 in all browsers.
  • Support for getBoundingClientRect.
  • Fixed a dynamic script loading timing issue to support YUI's dynamic loader.
  • Support for invoking document.all() as a method in addition to the traditional [] notation.
  • Fix bug in the scoping of Array.forEach.
  • Support for HSL and HSLA colors (passes through to the browser so assumes browser support)
  • Support for more CSS3 background properties.
  • Support for textContent and getElementsByClassName on browsers that have native support.
  • A number of other minor bug fixes.

June 29, 2010

This update focuses on the CSS.

  • CSS2 attribute selectors are now parsed.
  • RGB and RGBa values are now parsed.
  • Rounded corners and box-shadows (including the webkit and mozilla proprietary equivalents) are now enabled.
  • In Internet Explorer, all samples are run in the latest browser mode (Sandboxed Canvas not working in IE9 is a known issue).

June 25, 2010

We are working on improving the fidelity of the original document structure. This update includes the following changes:

  • We are working on properly supporting the DOM for head elements. This update supports the TITLE, META, and SCRIPT elements. Script elements are properly represented relative to their document location.
  • The scripts collection as well as attributes on individual SCRIPT elements are properly exposed. We now ignore SCRIPT elements are specified via the TYPE attribute to not contain JavaScript.
  • The document anchors and lists collections are now properly supported.
  • Line-breaks in TEXTAREA and PRE elements are fixed.
  • For the media attribute on LINK and STYLE elements, only sheets that target the screen or all media types are supported. Print stylesheets are on our TODO list.
  • Other small bug-fixes in prototype chain handling.

May 25, 2010

Today we released a refactored Sandbox script. This update has a much cleaner, more optimized policy file that uses 20K less code, signficantly less JavaScript closures, and enforces more consistency through a prescribed definition pattern. We also keep expanding support for more API's, have started on some of the HTML 5 features, and are focusing on supporting the various framework libraries.

Below are some of the highlights:

  • Every method by definition exposes its corresponding property.
  • Enable Firefox'es funky if (documennt.all) // return false test even though document.all is supported.
  • Better support for routing keyboard events to the document.
  • Fixes to support JQuery better (still a work in progress).
  • Improved inner/outerHTML, regular expression, and mouse positioning support.
  • Support for Canvas (requires browser support).
  • Support for hyperlink javascript-based URL's in the initial HTML.

March 1, 2010 - Catching Up!

Over the past few months, we have been quietly updating the Sandbox script. Below highlights some of the more significant changes:

  • Lots of bug fixes (e.g., getVarDate, NaN.toString(), regular expression issues, prototype inheritance, styling input elements, and more).
  • Added better host integration events (onbeforeqos, onxmlrequest, onerror, onformsubmit, and more). We are working on the host integration documentation.
  • Introduced a new isolate policy that matches the IFrame behavior providing full isolation of content from the surrounding page.
  • Basic support for the IFrame element. IFrame contents are now generated and encapsulated in their own sandbox.
  • Enable support for dynamically loading the sandbox library.
  • Huge performance improvements for processing stylesheets and the initial HTML.

Meet Scott Isaacs in Boston at Ajax Experience, Sept 14-16

Learn more about Web 2.0 security and sandboxes at Ajax Experience. Scott will be presenting Beyond IFrames: WebSandboxes on Monday, September 14 and will be participating in the Secure Mashups: Getting to Safe Web Plugins panel on Wednesday, September 16th.

Big Infrastructure Changes! Better Parsing, Bug Fixes and More...

We just released our biggest update. We performed major work on the backend transformation engines, parsers, and security architecture. The HTML parser is now more flexible no longer requiring perfectly structured HTML. We changed a significant amount of code so don't be surprised if a few areas are slightly destabilized (be sure to report any issues in our forums).

Two Extensibility Demos

We now have two demos that illustrate different approaches for extending Gadgets. Our newest Shared Library Demo shows how to secure an existing untrusted library and attach it to any existing sandbox without modification. In this demo, a simple hover effect library is exposed to all Gadgets.

This complements the existing Map Gadget Demo that illustrates how to safely expose a trusted library to your unstrusted code via a custom policy. In the Map demo, we expose APIs that allow you to safely manipulate a shared Virtual Earth Map control. You can use this same technique to provide safe access to any API enabling you to create a secure, customaizable, extensibility experience for your site.

Watch Scott Isaacs at Mix 09

The Microsoft Web Sandbox: An Open Source Framework for Developing Secure Standards-Based Web Applications
Hear a discussion about key challenges with Web security today and how the Microsoft Web Sandbox is addressing these challenges by virtualizing both script execution and the DOM. Learn about the Web Sandbox open source framework that runs on all modern browsers and builds on the ongoing ECMA TC-39 security working group efforts.

Watch the presentation on-line.

Web Sandbox Open Source License

The source code for the Web Sandbox JavaScript library is available under the Open Source Apache License 2.0.

Since the initial release of Web Sandbox we have received a great deal of feedback from the web security community. We have also been collaborating with a number of customers, partners and the standards communities that would like to adopt the technology when it is ready. Our goal is to achieve widespread adoption of Web Sandbox and to help foster interoperability with complementary technologies like script frameworks.

(Note: While we are using an Apache License, the Web Sandbox project is not sponsored or endorsed by the Apache Software Foundation and is not an ASF project.)

--
We frequently update the Web Sandbox with bug fixes and improvements. Track the latest changes RSS Feed of Latest Changes in the general discussion forum.

History

The Web Sandbox builds upon Microsoft’s experience with DHTML, Windows Live web-based gadgets, and the Microsoft Research BrowserShield project which pioneered JavaScript virtualization through rewriting. We worked with individuals and groups across Microsoft to build the technology preview announced at PDC 2008. Since then, we have open-sourced the framework and are partnering with other industry leaders to evolve Web Sandbox into an industry-wide solution.

How can you help?

We want you to get involved. We created a cross-browser JavaScript virtualization layer that provides a secure standards-based programming model without requiring any add-ons. We are not done yet. We need your help: experiment with the Sandbox and make sure it works. We've included a set of samples so you can try to break the Sandbox. Our goal is to provide reusable components that will allow you to secure your Web 2.0 mashups. Our goal is to work together to standardize a secure web platform.

Where do you send feedback?

We welcome your feedback in the Community Forums. We have two forums: one for general discussions and another for full disclosure of exploits.

Why are some web applications insecure?

An increasing number of Web 2.0 applications incorporate 3rd party content. There are two common patterns: via direct script inclusion or embedded in an IFrame.

How do I get started?

This site allows developers to experiment with the Sandbox. We recommend you start with the documentation that contains code snippets you can quickly run within the Sandbox. You can also jump in and start experimenting with your own code. Lastly, you can try to break the sample applications provided.