Web Sandbox - General

Announcements

• Link

  What's New...

  Thursday, August 12, 2010 4:32 PM

  August 11, 2010

  This update focuses on a few performance issues.

  • Only initialize the window once, not for each sandbox instance.
  • Fix to work-around WebKit's CSS DOM performance issues (huge performance improvement).
  • Fix global stylesheet clean-up.
  • Fix to more accurately test that a method is natively implemented versus defined by the Host Page (reduces potential for conflict between the sandbox and outer page).

  July 21, 2010

  This is a fairly large update to improve support for common web frameworks and libraries. Below highlights a few of the fixes

  • Fixes for input elements including <button type="..."> support and IE's document.createElement("<tag property='value'>") syntax.
  • Added support for getComputedStyle(element,null).getPropertyValue.memberName.
  • NamedNodeMaps can access members by member name (similar to the fix for getComputedStyle above).
  • Fixed support for cancelling a hyperlinks default action by returning false to the event.
  • Executing a regular expression against a regular expression type now works.
  • Fixed issues with prototype inheritance. This should fix the extend pattern used by most frameworks.
  • Event object fixes including relatedTarget and added custom property support to the event object.
  • Support for hasOwnProperty method.
  • Default value of calculated opacity is now 1 in all browsers.
  • Support for getBoundingClientRect.
  • Fixed a dynamic script loading timing issue to support YUI's dynamic loader.
  • Support for invoking document.all() as a method in addition to the traditional [] notation.
  • Fix bug in the scoping of Array.forEach.
  • Support for HSL and HSLA colors (passes through to the browser so assumes browser support)
  • Support for more CSS3 background properties.
  • Support for textContent and getElementsByClassName on browsers that have native support.
  • A number of other minor bug fixes.

  June 29, 2010

  This update focuses on the CSS.

  • CSS2 attribute selectors are now parsed.
  • RGB and RGBa values are now parsed.
  • Rounded corners and box-shadows (including the webkit and mozilla proprietary equivalents) are now enabled.
  • In Internet Explorer, all samples are run in the latest browser mode (Sandboxed Canvas not working in IE9 is a known issue).

  June 25, 2010

  We are working on improving the fidelity of the original document structure. This update includes the following changes:

  • We are working on properly supporting the DOM for head elements. This update supports the TITLE, META, and SCRIPT elements. Script elements are properly represented relative to their document location.
  • The scripts collection as well as attributes on individual SCRIPT elements are properly exposed. We now ignore SCRIPT elements are specified via the TYPE attribute to not contain JavaScript.
  • The document anchors and lists collections are now properly supported.
  • Line-breaks in TEXTAREA and PRE elements are fixed.
  • For the media attribute on LINK and STYLE elements, only sheets that target the screen or all media types are supported. Print stylesheets are on our TODO list.
  • Other small bug-fixes in prototype chain handling.

  May 25, 2010

  Today we released a refactored Sandbox script. This update has a much cleaner, more optimized policy file that uses 20K less code, signficantly less JavaScript closures, and enforces more consistency through a prescribed definition pattern. We also keep expanding support for more API's, have started on some of the HTML 5 features, and are focusing on supporting the various framework libraries.

  Below are some of the highlights:

  • Every method by definition exposes its corresponding property.
  • Enable Firefox'es funky if (documennt.all) // return false test even though document.all is supported.
  • Better support for routing keyboard events to the document.
  • Fixes to support JQuery better (still a work in progress).
  • Improved inner/outerHTML, regular expression, and mouse positioning support.
  • Support for Canvas (requires browser support).
  • Support for hyperlink javascript-based URL's in the initial HTML.

   

  March 1, 2010 - Catching Up!

  Over the past few months, we have been quietly updating the Sandbox script. Below highlights some of the more significant changes:

  • Lots of bug fixes (e.g., getVarDate, NaN.toString(), regular expression issues, prototype inheritance, styling input elements, and more).
  • Added better host integration events (onbeforeqos, onxmlrequest, onerror, onformsubmit, and more). We are working on the host integration documentation.
  • Introduced a new isolate policy that matches the IFrame behavior providing full isolation of content from the surrounding page.
  • Basic support for the IFrame element. IFrame contents are now generated and encapsulated in their own sandbox.
  • Enable support for dynamically loading the sandbox library.
  • Huge performance improvements for processing stylesheets and the initial HTML.
• Link

  Work items and current limitations

  Monday, November 03, 2008 8:11 PM
  The following items represent work in progress. Consequently until we check them off they could be regarded as current limitations. They are due to our implementation rather than the sandbox architecture.
  
  

  1. The gadget's HTML must be well-formed.
  2. document.write is partially implemented and not fully debugged.
  3. JavaScript's with statement is unsupported.
  4. The XML proxy allowing gadgets to invoke back-end services is not enabled (now supported!).
  5. The Dynamic loading of script is unsupported (now supported!).
  6. Silverlight and Flash objects are unsupported.
  7. Depending on operations, the performance overhead varies between 1.5 and 4 times.

  Should you run into other unexpected surprises we either missed something from the above list or you discovered a bug. Keep us posted.
  
  -Dragos

• Link

  Web Sandbox available under the Open Source Apache License 2.0

  Wednesday, January 28, 2009 6:07 AM
   Today, we are announcing that we are making much of the source code for the Web Sandbox project available under the Open Source Apache License 2.0.

  Since the initial release of Web Sandbox we have received a great deal of feedback from the web security community. We have also been collaborating with a number of customers, partners and the standards communities that would like to adopt the technology when it is ready. Our goal is to achieve widespread adoption of Web Sandbox and to help foster interoperability with complementary technologies like script frameworks.

  See the Web Sandbox site for additional licensing details. Thank you for your input to the project so far, and we are excited to continue our collaboration with you.

  (Note: While we are using an Apache License, the Web Sandbox project is not sponsored or endorsed by the Apache Software Foundation and is not an ASF project.)

   

  -Dragos