Microsoft Web Sandbox
Welcome to the Microsoft Web Sandbox technology preview—a solution for securing web content through isolation.
Today web gadgets, mashup components, advertisements, and other 3rd party content on websites either run with full trust alongside your content or are isolated inside of IFrames. As a result, many modern web applications are intrinsically insecure, often with unpredictable service quality. The Web Sandbox addresses this problem.
December 16, 2010
Please see the Windows Live blog for more information and enjoy the next innovation in e-mail.
November 3, 2010
Our new domain, http://www.websandbox.org is now active. Websandbox.livelabs.com will be decomissioned in the very near future.
The sandbox was updated with bug fixes.
October 1, 2010
This update focused mostly on improving the XML Dom support.
- Added get/set/hasAttribute (including NS variation), normalize, and hasChildNodes to XML Element.
- Added textContent property to XML Element (on supported browsers).
- The XML DOM tree is now fully read/write with support for createElement, createTextNode, appendChild, insertBefore, replaceChild, removeChild, and cloneNode.
- Added item method to the XML NodeList.
- Fixed IE issue with "background: transparent" where additional CSS properties were getting overidden.
- Fixed bug with form input elements not getting the proper default value when reset.
September 14, 2010
More bug fixes and API improvements:
- Added support for the Element Traversal Spec
- XML DOM Fixes: selectNodes support in IE and getElementsByTagName.
- Fixed typo with the stopPropagation method.
- Fix return false to event handlers on hyperlinks.
- Support for tabIndex values 0 and 1.
- Support for pageXOffset and pageYOffset (on appropriate browsers).
- Fixed issue with new Image() and calculating image sizes.
- Fixed sequencing issue where accessing currentStyle property made the style object read-only.
- Protection preventing sandboxed code nested in a form from submitting the form.
- Improved support for the in operator against the window and document objects.
- Added support for the parentWindow property to the document object.
August 11, 2010
This update focuses on a few performance issues.
- Only initialize the window once, not for each sandbox instance.
- Fix to work-around WebKit's CSS DOM performance issues (huge performance improvement).
- Fix global stylesheet clean-up.
- Fix to more accurately test that a method is natively implemented versus defined by the Host Page (reduces potential for conflict between the sandbox and outer page).
July 21, 2010
This is a fairly large update to improve support for common web frameworks and libraries. Below highlights a few of the fixes
- Fixes for input elements including
<button type="...">support and IE's
- Added support for
- NamedNodeMaps can access members by member name (similar to the fix for getComputedStyle above).
- Fixed support for cancelling a hyperlinks default action by returning false to the event.
- Executing a regular expression against a regular expression type now works.
- Fixed issues with prototype inheritance. This should fix the extend pattern used by most frameworks.
- Event object fixes including relatedTarget and added custom property support to the event object.
- Support for hasOwnProperty method.
- Default value of calculated opacity is now 1 in all browsers.
- Support for getBoundingClientRect.
- Fixed a dynamic script loading timing issue to support YUI's dynamic loader.
- Support for invoking document.all() as a method in addition to the traditional  notation.
- Fix bug in the scoping of Array.forEach.
- Support for HSL and HSLA colors (passes through to the browser so assumes browser support)
- Support for more CSS3 background properties.
- Support for textContent and getElementsByClassName on browsers that have native support.
- A number of other minor bug fixes.
June 29, 2010
This update focuses on the CSS.
- CSS2 attribute selectors are now parsed.
- RGB and RGBa values are now parsed.
- Rounded corners and box-shadows (including the webkit and mozilla proprietary equivalents) are now enabled.
- In Internet Explorer, all samples are run in the latest browser mode (Sandboxed Canvas not working in IE9 is a known issue).
June 25, 2010
We are working on improving the fidelity of the original document structure. This update includes the following changes:
- We are working on properly supporting the DOM for head elements. This update supports the TITLE, META, and SCRIPT elements. Script elements are properly represented relative to their document location.
- The document
listscollections are now properly supported.
- Line-breaks in TEXTAREA and PRE elements are fixed.
- For the media attribute on LINK and STYLE elements, only sheets that target the screen or all media types are supported. Print stylesheets are on our TODO list.
- Other small bug-fixes in prototype chain handling.
May 25, 2010
Below are some of the highlights:
- Every method by definition exposes its corresponding property.
- Enable Firefox'es funky
if (documennt.all) // return falsetest even though document.all is supported.
- Better support for routing keyboard events to the document.
- Fixes to support JQuery better (still a work in progress).
- Improved inner/outerHTML, regular expression, and mouse positioning support.
- Support for Canvas (requires browser support).
March 1, 2010 - Catching Up!
Over the past few months, we have been quietly updating the Sandbox script. Below highlights some of the more significant changes:
- Lots of bug fixes (e.g., getVarDate, NaN.toString(), regular expression issues, prototype inheritance, styling input elements, and more).
- Added better host integration events (onbeforeqos, onxmlrequest, onerror, onformsubmit, and more). We are working on the host integration documentation.
- Introduced a new isolate policy that matches the IFrame behavior providing full isolation of content from the surrounding page.
- Basic support for the IFrame element. IFrame contents are now generated and encapsulated in their own sandbox.
- Enable support for dynamically loading the sandbox library.
- Huge performance improvements for processing stylesheets and the initial HTML.
Meet Scott Isaacs in Boston at Ajax Experience, Sept 14-16
Learn more about Web 2.0 security and sandboxes at Ajax Experience. Scott will be presenting Beyond IFrames: WebSandboxes on Monday, September 14 and will be participating in the Secure Mashups: Getting to Safe Web Plugins panel on Wednesday, September 16th.
Big Infrastructure Changes! Better Parsing, Bug Fixes and More...
We just released our biggest update. We performed major work on the backend transformation engines, parsers, and security architecture. The HTML parser is now more flexible no longer requiring perfectly structured HTML. We changed a significant amount of code so don't be surprised if a few areas are slightly destabilized (be sure to report any issues in our forums).
Two Extensibility Demos
We now have two demos that illustrate different approaches for extending Gadgets. Our newest Shared Library Demo shows how to secure an existing untrusted library and attach it to any existing sandbox without modification. In this demo, a simple hover effect library is exposed to all Gadgets.
This complements the existing Map Gadget Demo that illustrates how to safely expose a trusted library to your unstrusted code via a custom policy. In the Map demo, we expose APIs that allow you to safely manipulate a shared Virtual Earth Map control. You can use this same technique to provide safe access to any API enabling you to create a secure, customaizable, extensibility experience for your site.
Watch Scott Isaacs at Mix 09
The Microsoft Web Sandbox: An Open Source Framework for Developing Secure Standards-Based Web Applications
Hear a discussion about key challenges with Web security today and how the Microsoft Web Sandbox is addressing these challenges by virtualizing both script execution and the DOM. Learn about the Web Sandbox open source framework that runs on all modern browsers and builds on the ongoing ECMA TC-39 security working group efforts.
Web Sandbox Open Source License
Since the initial release of Web Sandbox we have received a great deal of feedback from the web security community. We have also been collaborating with a number of customers, partners and the standards communities that would like to adopt the technology when it is ready. Our goal is to achieve widespread adoption of Web Sandbox and to help foster interoperability with complementary technologies like script frameworks.
(Note: While we are using an Apache License, the Web Sandbox project is not sponsored or endorsed by the Apache Software Foundation and is not an ASF project.)
We frequently update the Web Sandbox with bug fixes and improvements. Track the latest changes in the general discussion forum.
How can you help?
Where do you send feedback?
We welcome your feedback in the Community Forums. We have two forums: one for general discussions and another for full disclosure of exploits.
Why are some web applications insecure?
An increasing number of Web 2.0 applications incorporate 3rd party content. There are two common patterns: via direct script inclusion or embedded in an IFrame.
- Components that are included directly execute with full trust and can access private information elsewhere on the page and site. The site is subject to intentional or non-intentional bugs that could compromise personal information or degrade the web application's quality of service.
- IFrames offer isolation but not complete security. Malicious code can try to install ActiveX controls, redirect users, interrogate your browser history, degrading the quality of service. IFrames also make it hard to provide an integrated experience and share data across components.
How do I get started?
This site allows developers to experiment with the Sandbox. We recommend you start with the documentation that contains code snippets you can quickly run within the Sandbox. You can also jump in and start experimenting with your own code. Lastly, you can try to break the sample applications provided.