Web Sandbox from Live Labs

imageMicrosoft, or more precisely, IE 8 was a Silver-level sponsor at The Ajax Experience that wrapped up today at the Hilton Logan Airport in Boston.  The conference was in our backyard, so both Chris and I were able to attend and immerse ourselves in the state-of-the-practice in the Ajax and JavaScript communities.  Since the primary JavaScript design pattern I use is cut-and-paste, it was especially cool to see some of the best practices talks by the likes of Douglas Crockford and Mark Miller.

One of the more timely presentations involved Microsoft’s Scott Isaacs, ‘father of DHTML’, who co-presented on a panel entitled Secure Mashups: Getting to Safe Web Plug-ins.  It was timely specifically due to the attack against the New York Times this past weekend.   To my understanding the exploit occurred through the hosting of an ad (which ironically the Times had sold to the hacker) in an iframe.  The ad was legit for a while, but then the perpetrators switched it and introduced some malicious JavaScript that redirected to a malware site.  zygmrvwb36

Now as mashups and ad services become more and more part of the face of the Web, shielding your site from untrusted or misbehaved code from third-parties is no longer optional.  The problem is being addressed in a number of different ways by different groups.  Google, for instance, has the Caja project; Douglas Crockford has been working on ADsafe; and Facebook has FBJS for developers that want to supplement their applications with JavaScript.  In the Microsoft corner is Web Sandbox, a project available from Microsoft Live Labs.

Web Sandbox’s approach to the problem is to host the third party code or widget in a virtual machine, so it has its own compartmentalized DOM, namespace, global variables, and so on.   The third-party code (HTML, CSS, and JavaScript) first undergoes a transformation (HTML and CSS are actually transformed into JSON) that the virtual machine understands.  The virtual machine then applies rules of access, defined in optional policy statements, to control if and how elements hosted elsewhere in the page are accessed. 

One of the attributes noted as unique about the Web Sandbox (versus Caja, ADsafe, etc.) was the incorporation of quality of service (QoS) capabilities.  The sandbox actually monitors the number of statements executed, long-running code, excessive use of alerts, etc. so that the user can abort execution when the sandbox detects that the executing code has exceeded defined thresholds.

The Live Labs site is pretty extensive in terms of interactive samples and documentation, so it’s definitely worth a look to gain a better understanding of the vulnerabilities your site may face.  There’s even a “Can you Hack It?” section that challenges you to try to break the Web Sandbox.