Microsoft Opens Up Web Sandbox

• By John K. Waters
• 02/04/09

The source code for Microsoft's Web Sandbox is now available under an open license.

Microsoft announced the release last week on its Port25 open source community Web site. The company has made the source code available under the Apache 2.0 open source license, the site reported.

The Web Sandbox project is "a prototype of technology for mashing up code while maintaining better process isolation, quality of service protection, and security," according to Microsoft.

The technology does what all sandboxes do, said Gartner analyst Ray Valdes. It restricts the actions of a program to a defined set of privileges and actions to reduce the chances of the program damaging the system hosting it. In this case, the chief aim is to improve the security of browsers running JavaScript.

"JavaScript is a live electrical wire in terms of security, and it needs to be insulated," Valdes said. "Adding to the problem, mashups allow users to load Web pages with content and code from different sources. This intermingling of code creates a security vulnerability. This is a general problem today, and Microsoft is employing a very worthwhile process to deal with it."

Bola Rotibi, an industry analyst at Macehiter Ward-Dutton, agreed. "The Web as a platform has been an incubator for all sorts of security vulnerabilities," she said. "Attempting to provide a consistent sandbox across all browsers makes extremely good sense; open sourcing the process and using the Apache License 2.0 is a good idea, because it provides recognizable structure for usage and participation."

Not Endorsed by Apache Foundation
Although the Web Sandbox code is available under an Apache license, Microsoft is careful to point out that this is not an Apache Software Foundation (ASF) project, nor is it sponsored or endorsed by the ASF.

And yet, Microsoft has become something of an ASF supporter. Its recent acquisition of semantic search company Powerset made the company a direct code contributor to ASF's Hadoop project. And last year, Microsoft began providing financial support for the ASF in the amount of $100,000 annually.

The Web Sandbox project, now available as a technology preview, was developed at Microsoft Live Labs, an applied-research laboratory for Internet technologies made up of researchers from MSN, Microsoft Research and the academic community.

"Increased collaboration with customers and partners will allow the Web Sandbox team to continue to add features and improve the functionality of Web Sandbox that they hope will lead to a robust and long-term solution to Web security challenges," said a Microsoft spokesman.

The impact of this project on developers remains to be seen, according to Rotibi. "The ultimate benefit to developers is confidence in a secure environment," she said. "If it really does provide cross-browser support, that could mean improved security for their own code and Web applications. Microsoft's decision to open source the code means free access, but also the benefit of great minds at Microsoft and around the community."

But Port 25 blogger Peter Galli also cautions developers that the Sandbox is not yet ready for primetime. "While developers are being encouraged to help define and refine the Web Sandbox, it is not recommended for those developers creating production sites as it is still under development," Galli wrote.

"This is a forward-looking project," Valdes said. "It's trying to come up with technology that addresses a real and evolving problem. That Microsoft is addressing the problem in a cooperative manner is a very good thing, and they should be commended."