Quality of Service (QoS) Protections
When you consider a secure environment, it is more than protecting the data. It also ensures that the untrusted code cannot destabilize the overall environment. Today, as mash-ups include more and more third-party code, there is always the risk that code will fail or degrade the overall experience. The Sandbox also has the goal of mitigating this risk.
Whenever long-running code is recognized, the Sandbox interjects and offers the user the opportunity to disable just that code block. For example, feel free to try the following clearly erroneous code samples:
The example below is problematic as it often requires you to kill the browser.
Or our favorite:
We also support gadgets reloading themselves via the standard location.reload() API. Reloading kills and restarts the virtual machine for the specified instance. However, this also provides the potential for infinite recursion. The Sandbox limits the number of times a component can reload itself within a short time period.
In addition, code that generates script errors is automatically caught:
The QOS (quality of service) metrics used by the system are fully configurable. We have plans to extend this support across the entire system. For example, preventing prompts during the onmousemove event, examining and preventing expensive regular expressions, etc.
Reloading after failures
In the real world, failures are typically not going to occur intentionally. The Sandbox supports the ability to dynamically restart any component at any point. As you experiment in the Sandbox, don't miss the reload button.
The Big Throttle – Pausing the Code
Even with all the QOS measures, we are still constrained to execute in a single thread. This thread must be shared across all the code on your page. Today, if you created a web page with lots of gadgets degrading your experience, your only option is typically to start removing gadgets until the experience becomes acceptable. We discovered a compromise: the ability to temporarily deactivate code. In our Sandbox playground, pausing is under the user's control. We are exploring how to apply this automatically as needed.
We recommend trying this in action. Try loading the simple clock below. When the page loads, clone the clock a few times then try clicking on the pause then resume buttons on the different clock instances. This demonstration also shows how the title of the page can be intercepted and enabled by the host environment
This approach also offers hosts the ability to customize their activation model. Whether an extension should execute automatically, initialize itself and then stay dormant until activated, stay completely inactive until enabled, or any other mechanism a host may dream up, should be supported by the underlying architecture.