What is native sandbox?

Question

I found "Enable the operating system's restricted environment (native sandbox)" is added to Java control panel at 8u51. But I could not find any documents.

Answer 1

From the official Release Notes for JDK 8 and JDK 8 Update Releases we know that:

• Native sandbox is available on Windows platform only.

• Native sandbox can be enabled or disabled through Java Control Panel->Advanced settings->Enable the operating system's restricted environment (native sandbox) or by setting deployment.security.use.native.sandbox property to true in deployment.properties file.

• Native sandbox is disabled by default.

• When native sandbox is enabled, the sandbox applets or web-start applications will run in a restricted environment, that is provided by the operating system. This will not affect the all-permission applications and they will continue to run as before.

• Native sandbox will be disabled for applications included the in Exception Site List (ESL) or when Deployment Rule Set (DRS) is used.

• Sandbox applets deployed with HTML applet tag which includes all-permissions JAR files from the Class-Path manifest attribute, will run in native sandbox.

• In such cases, a special warning dialog will display, informing the user that the applet may not work properly, when such an applet tries to access the all-permission JAR files.

• Custom preloader will be disabled in certain cases when native sandbox is enabled:

  • Custom preloader will be disabled when sandbox applets or web-start applications are initializing and the default preloader will be used instead. After application is initialized, Java VM restarts with native sandbox enabled and the custom preloader will be used.
  • For all-permission applications, custom preloader will be disabled if it is located in the JNLP file with sandbox permission, until user agrees to run application from the Security Dialog, which grants unrestricted access (privileged) to application.

There is, at the moment, no more documention than this. To sum up, in the Java platform, the native sandbox is a specific Windows feature, which use a set of API from the operating system to improve the sandboxing.

The Windows Store Apps should use the same set of API. There is an article about this : Windows Store Apps live in the Sandbox. It says:

Being in the Sandbox also means the app has no direct access to any other app or service running outside of the app’s sandbox. Access to other apps or services is facilitated by Windows itself with a defined set of APIs with in the runtime environment.