News

Microsoft Opens Up Web Sandbox

The source code for Microsoft's Web Sandbox is now available under an open license.

Microsoft announced the release last week on its Port25 open source community Web site. The company has made the source code available under the Apache 2.0 open source license, the site reported.

The Web Sandbox project is "a prototype of technology for mashing up code while maintaining better process isolation, quality of service protection, and security," according to Microsoft.

The technology does what all sandboxes do, said Gartner analyst Ray Valdes. It restricts the actions of a program to a defined set of privileges and actions to reduce the chances of the program damaging the system hosting it. In this case, the chief aim is to improve the security of browsers running JavaScript.

"JavaScript is a live electrical wire in terms of security, and it needs to be insulated," Valdes said. "Adding to the problem, mashups allow users to load Web pages with content and code from different sources. This intermingling of code creates a security vulnerability. This is a general problem today, and Microsoft is employing a very worthwhile process to deal with it."

Bola Rotibi, an industry analyst at Macehiter Ward-Dutton, agreed. "The Web as a platform has been an incubator for all sorts of security vulnerabilities," she said. "Attempting to provide a consistent sandbox across all browsers makes extremely good sense; open sourcing the process and using the Apache License 2.0 is a good idea, because it provides recognizable structure for usage and participation."

Not Endorsed by Apache Foundation
Although the Web Sandbox code is available under an Apache license, Microsoft is careful to point out that this is not an Apache Software Foundation (ASF) project, nor is it sponsored or endorsed by the ASF.

And yet, Microsoft has become something of an ASF supporter. Its recent acquisition of semantic search company Powerset made the company a direct code contributor to ASF's Hadoop project. And last year, Microsoft began providing financial support for the ASF in the amount of $100,000 annually.

The Web Sandbox project, now available as a technology preview, was developed at Microsoft Live Labs, an applied-research laboratory for Internet technologies made up of researchers from MSN, Microsoft Research and the academic community.

"Increased collaboration with customers and partners will allow the Web Sandbox team to continue to add features and improve the functionality of Web Sandbox that they hope will lead to a robust and long-term solution to Web security challenges," said a Microsoft spokesman.

The impact of this project on developers remains to be seen, according to Rotibi. "The ultimate benefit to developers is confidence in a secure environment," she said. "If it really does provide cross-browser support, that could mean improved security for their own code and Web applications. Microsoft's decision to open source the code means free access, but also the benefit of great minds at Microsoft and around the community."

But Port 25 blogger Peter Galli also cautions developers that the Sandbox is not yet ready for primetime. "While developers are being encouraged to help define and refine the Web Sandbox, it is not recommended for those developers creating production sites as it is still under development," Galli wrote.

"This is a forward-looking project," Valdes said. "It's trying to come up with technology that addresses a real and evolving problem. That Microsoft is addressing the problem in a cooperative manner is a very good thing, and they should be commended."

About the Author

John K. Waters is the editor in chief of a number of Converge360.com sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].

comments powered by Disqus

Featured

  • New 'Visual Studio Hub' 1-Stop-Shop for GitHub Copilot Resources, More

    Unsurprisingly, GitHub Copilot resources are front-and-center in Microsoft's new Visual Studio Hub, a one-stop-shop for all things concerning your favorite IDE.

  • Mastering Blazor Authentication and Authorization

    At the Visual Studio Live! @ Microsoft HQ developer conference set for August, Rockford Lhotka will explain the ins and outs of authentication across Blazor Server, WebAssembly, and .NET MAUI Hybrid apps, and show how to use identity and claims to customize application behavior through fine-grained authorization.

  • Linear Support Vector Regression from Scratch Using C# with Evolutionary Training

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the linear support vector regression (linear SVR) technique, where the goal is to predict a single numeric value. A linear SVR model uses an unusual error/loss function and cannot be trained using standard simple techniques, and so evolutionary optimization training is used.

  • Low-Code Report Says AI Will Enhance, Not Replace DIY Dev Tools

    Along with replacing software developers and possibly killing humanity, advanced AI is seen by many as a death knell for the do-it-yourself, low-code/no-code tooling industry, but a new report belies that notion.

  • Vibe Coding with Latest Visual Studio Preview

    Microsoft's latest Visual Studio preview facilitates "vibe coding," where developers mainly use GitHub Copilot AI to do all the programming in accordance with spoken or typed instructions.

Subscribe on YouTube