One of the more timely presentations involved Microsoft’s Scott Isaacs, ‘father of DHTML’, who co-presented on a panel entitled Secure Mashups: Getting to Safe Web Plug-ins. It was timely specifically due to the attack against the New York Times this past weekend. To my understanding the exploit occurred through the hosting of an ad (which ironically the Times had sold to the hacker) in an
One of the attributes noted as unique about the Web Sandbox (versus Caja, ADsafe, etc.) was the incorporation of quality of service (QoS) capabilities. The sandbox actually monitors the number of statements executed, long-running code, excessive use of alerts, etc. so that the user can abort execution when the sandbox detects that the executing code has exceeded defined thresholds.
The Live Labs site is pretty extensive in terms of interactive samples and documentation, so it’s definitely worth a look to gain a better understanding of the vulnerabilities your site may face. There’s even a “Can you Hack It?” section that challenges you to try to break the Web Sandbox.