Microsoft Opens Up Web Sandbox

The source code for Microsoft's Web Sandbox is now available under an open license.

Microsoft announced the release last week on its Port25 open source community Web site. The company has made the source code available under the Apache 2.0 open source license, the site reported.

The Web Sandbox project is "a prototype of technology for mashing up code while maintaining better process isolation, quality of service protection, and security," according to Microsoft.

The technology does what all sandboxes do, said Gartner analyst Ray Valdes. It restricts the actions of a program to a defined set of privileges and actions to reduce the chances of the program damaging the system hosting it. In this case, the chief aim is to improve the security of browsers running JavaScript.

"JavaScript is a live electrical wire in terms of security, and it needs to be insulated," Valdes said. "Adding to the problem, mashups allow users to load Web pages with content and code from different sources. This intermingling of code creates a security vulnerability. This is a general problem today, and Microsoft is employing a very worthwhile process to deal with it."

Bola Rotibi, an industry analyst at Macehiter Ward-Dutton, agreed. "The Web as a platform has been an incubator for all sorts of security vulnerabilities," she said. "Attempting to provide a consistent sandbox across all browsers makes extremely good sense; open sourcing the process and using the Apache License 2.0 is a good idea, because it provides recognizable structure for usage and participation."

Not Endorsed by Apache Foundation
Although the Web Sandbox code is available under an Apache license, Microsoft is careful to point out that this is not an Apache Software Foundation (ASF) project, nor is it sponsored or endorsed by the ASF.

And yet, Microsoft has become something of an ASF supporter. Its recent acquisition of semantic search company Powerset made the company a direct code contributor to ASF's Hadoop project. And last year, Microsoft began providing financial support for the ASF in the amount of $100,000 annually.

The Web Sandbox project, now available as a technology preview, was developed at Microsoft Live Labs, an applied-research laboratory for Internet technologies made up of researchers from MSN, Microsoft Research and the academic community.

"Increased collaboration with customers and partners will allow the Web Sandbox team to continue to add features and improve the functionality of Web Sandbox that they hope will lead to a robust and long-term solution to Web security challenges," said a Microsoft spokesman.

The impact of this project on developers remains to be seen, according to Rotibi. "The ultimate benefit to developers is confidence in a secure environment," she said. "If it really does provide cross-browser support, that could mean improved security for their own code and Web applications. Microsoft's decision to open source the code means free access, but also the benefit of great minds at Microsoft and around the community."

But Port 25 blogger Peter Galli also cautions developers that the Sandbox is not yet ready for primetime. "While developers are being encouraged to help define and refine the Web Sandbox, it is not recommended for those developers creating production sites as it is still under development," Galli wrote.

"This is a forward-looking project," Valdes said. "It's trying to come up with technology that addresses a real and evolving problem. That Microsoft is addressing the problem in a cooperative manner is a very good thing, and they should be commended."

About the Author

John K. Waters is a freelance author and journalist based in Silicon Valley. His latest book is The Everything Guide to Social Media. Follow John on Twitter, read his blog on, check out his author page on Amazon, or e-mail him at


  • Microsoft Previews Windows VM Authentications via Azure Active Directory

    Microsoft on Thursday announced a preview of remote authentications into Windows-based Azure virtual machines (VMs) using Azure AD credentials.

  • Windows Server 20H1 Getting Smaller Containers and Faster PowerShell

    Microsoft is promising to deliver a smaller container size and improved PowerShell performance with its next release of Windows Server.

  • Microsoft Previews Microsoft Teams for Linux

    Microsoft on Tuesday announced a "limited preview" release of Microsoft Teams for certain Linux desktop operating systems.

  • Hyper-V Architecture: Some Clarifications

    Brien answers two thought-provoking reader questions. First, do Hyper-V VMs have direct hardware access? And second, how is it possible to monitor VM resource consumption from the host operating system?

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.