Microsoft Live Labs Web Sandbox

October 23, 2008, 11:00 am (http://ajaxian.com)

38

The Microsoft Live Labs team has announced a new project: Web Sandbox. The team is lead by Scott Isaacs, someone who we owe thanks to, since he played a large part in the birth of dhtml (and thus, Ajax).

The sandbox takes HTML, CSS, and JavaScript, and puts it in an isolated box. The goal is a little like Caja, AdSafe, FBJS, and other solutions that try to make JavaScript execution more secure in some way.

Take a look at an example, such as the script error sample, which shows how errors are handled and don't blow up the entire page.

The sandbox converts code like this:

HTML:
  1.  
  3.     <head>
  4.         <title>Script Error Sample</title>
  5.         <style>
  6.             .sampleTitle
  7.             {
  8.                 font-family: Segoe UI, Tahoma;
  9.                 font-size: 11pt;
  10.                 font-weight: bold;
  11.                 color: #07519A;
  12.             }
  13.             .scriptErrorSample
  14.             {
  15.                     height: 130px;
  16.                     border: solid 1px lightgrey;
  17.                     background: white;
  18.                     background-repeat: repeat-x;
  19.                     background-position: left top;
  20.                     padding: 10px;
  21.                     overflow-y: auto;
  22.             }
  23.         </style>
  24.     </head>
  25.     <body>
  26.         <div id="sample" class="scriptErrorSample">
  27.             <script type="text/javascript">
  28.                 window.clockelement = "currentTime";
  29.                 function onClick() {
  30.                     // Try to access an inexistent element
  31.                     window.clockelement = "currentTime2";
  32.                 }
  33.             </script>
  34.  
  35.                         <p>Clicking the button will cause a scripting error. When running outside the sandbox this error effectively crashes the application stopping the clock. Within the Sandbox, the error stops only that instance.</p>
  36.                         <p>After the error is generated, you can reload this gadget by clicking the [reload] button in the Gadget toolbar.  <input type="button" onclick="onClick()" value="Generate Error!"/></p>
  37.             <div id="currentTime" style="font-size: 8pt; font-weight: normal; color: Gray">
  38.             </div>
  39.  
  40.             <script type="text/javascript">
  41.                 window.setInterval(function() {
  42.                     document.getElementById(window.clockelement).innerText = new Date();
  43.                 }, 999)
  44.             </script>
  45.         </div>
  46.     </body>
  47. </html>
  48.  

and converts it (via server side, or client side with Silverlight-only):

HTML:
  1.  
  2. var settings = { css : { ".sampleTitle":{"font-family":"Segoe UI, Tahoma","font-size":"11pt","font-weight":"bold","color":"#07519A"},
  3.  ".scriptErrorSample":{"border-left-width":"1px","border-right-width":"1px","border-top-width":"1px","border-bottom-width":"1px","border-left-style":"solid","border-right-style":"solid","border-top-style":"solid","border-bottom-style":"solid","padding-left":"10px","padding-right":"10px","padding-top":"10px","padding-bottom":"10px","height":"130px","background":"white","background-repeat":"repeat-x","background-position":"left top","overflow-y":"auto"} } };
  4.  
  5. var headerJavaScript =
  6. function(a)
  7. {
  8.     var b = a.gw(this),
  9.         c = a.g,
  10.         d = a.i,
  11.         e = a.f,
  12.         f = c(b,"document");
  13.     d(f,"initializeHTML",[[{"body":{"c":[" ",{"div":{"a":{"id":"sample","class":"scriptErrorSample"},"c":[" ",{"script":"code1"}," ",{"p":{"c":["Clicking the button will cause a scripting error. When running outside the sandbox this error effectively crashes the application stopping the clock. Within the Sandbox, the error stops only that instance."]}}," ",{"p":{"c":["After the error is generated, you can reload this gadget by clicking the [reload] button in the Gadget toolbar. ",{"input":{"a":{"type":"button","onclick":e(function()
  14.     {
  15.         d(b,"onClick")
  16.     }),"value":"Generate Error!"}}}]}}," ",{"div":{"a":{"id":"currentTime","style":{"font-size":"8pt","font-weight":"normal","color":"Gray"}},"c":[" "]}}," ",{"script":"code2"}," "]}}," "]}}]])
  17. };
  18.  
  19. var metadata = {"author":"","description":"","imagepath":"","title":"Script Error Sample","preferredheight":0,"preferredwidth":0,"location":"","base":{"href":"","target":""},"scripts" : {"code1" :
  20. function(a)
  21. {
  22.     var b = a.gw(this),
  23.         c = a.g,
  24.         d = a.s,
  25.         e = a.f,
  26.         f = a.v;
  27.     f.onClick = e(function()
  28.     {
  29.         d(b,"clockelement","currentTime2")
  30.     });
  31.     d(b,"clockelement","currentTime")
  32. },"code2" :
  33. function(a)
  34. {
  35.     var b = a.gw(this),
  36.         c = a.g,
  37.         d = a.s,
  38.         e = a.i,
  39.         f = a.n,
  40.         g = a.f,
  41.         h = c(b,"document");
  42.     e(b,"setInterval",[g(function()
  43.     {
  44.         d(e(h,"getElementById",[c(b,"clockelement")]),"innerText",f(c(b,"Date"),[]))
  45.     }),999])
  46. }}};
  47.  
  48. $Sandbox.registerCode(headerJavaScript, "0", settings, metadata);
  49.  
  50. var SandboxInstance = new $Sandbox(document.getElementById('g_0_0_inst'), $Policy.Gadget, "0");
  51.  
  52. SandboxInstance.initialize();
  53.  

You may want to note a few things, such as how you can use CSS such as "body { color: red; }" and it only effects that one area, and how you can access the DOM and the same isolation happens.

Although the project talks a lot about security and gadgets/mashups, there are other interesting side benefits.

For example, the team has implemented functionality such as the W3C event model, which means that addEventListener say, works in IE (via this process). If people start to use this, maybe the labs team can get the IE team to implement their work natively!

Finally, Scott kindly gave us a few words on the project:

We focused on going beyond security by exploring a more holistic solution for site extensibility. We are also providing cross-browser support built around existing web standards. The default (and extensible) Gadget policy is modeled after standard HTML pages and the IFrame model. Together, this allows developers to leverage their existing skills, knowledge, and tools.

A robust virtualized environment for Web 2.0 applications is more than just about security. It is important to also protect the site’s integrity by providing QoS monitoring and controls over code execution (the ability freeze and unfreeze code to better manage browser performance and user experience). For host sites, it is necessary to have easy integration and multi-instancing support.

We know performance is a concern. We are still early in the project and have not yet finished optimizing the code and we are still expanding the DOM API support. However, our initial work is showing promise. As one benchmark, consider Google Caja. Not only are we focusing on a complete solution with broad support for DOM APIs, HTML, and CSS, we are also showing better performance at this early stage. Attached a simple script that focuses on measuring the overhead introduced by the sandbox (you can also find it at the bottom). This script is executable in both our Sandbox and the Caja test environment.

 

Tags: {, =, gt, lt, }

  launch permalink  share  

Recommended News Content

Recommended Groups

Gabbr - General Discussion  119 members

Recommended Bookmarks

Gambling Teachers: Free Learning Center  0 comments

Payday Loans = Costly Cash  0 comments

Comments

No comments. Be the first to comment.

 

You must be logged in to post a comment.

Learn More
About Gabbr

Pixelate Project

Learn more about the Pixelate Project

Questions?
Contact Us

Popular News Channels

elections iPhone Iraq sports golf Barack Obama terrorism web SEO Britney Spears Disney

Community

Get acquainted with some of our most recent members.

©2000–2007 One Guy & One Server.