java – 什么是原生沙箱？

• Native sandBox is available on Windows platform only.

• Native sandBox can be enabled or disabled through Java Control Panel->Advanced settings->Enable the operating system’s restricted environment (native sandBox) or by setting deployment.security.use.native.sandBox property to true in deployment.properties file.

• Native sandBox is disabled by default.

• When native sandBox is enabled,the sandBox applets or web-start applications will run in a restricted environment,that is provided by the operating system. This will not affect the all-permission applications and they will continue to run as before.

• Native sandBox will be disabled for applications included the in Exception Site List (ESL) or when Deployment Rule Set (DRS) is used.

• SandBox applets deployed with HTML applet tag which includes all-permissions JAR files from the Class-Path manifest attribute,will run in native sandBox.

• In such cases,a special warning dialog will display,informing the user that the applet may not work properly,when such an applet tries to access the all-permission JAR files.

• Custom preloader will be disabled in certain cases when native sandBox is enabled:

  • Custom preloader will be disabled when sandBox applets or web-start applications are initializing and the default preloader will be used instead. After application is initialized,Java VM restarts with native sandBox enabled and the custom preloader will be used.
  • For all-permission applications,custom preloader will be disabled if it is located in the JNLP file with sandBox permission,until user agrees to run application from the Security Dialog,which grants unrestricted access (privileged) to application.

目前,没有比这更多的文件了.总而言之,在Java平台中,本机沙箱是一种特定的Windows功能,它使用操作系统中的一组API来改进沙盒.

Windows应用商店应用应使用相同的API集.有一篇关于此的文章：Windows Store Apps live in the Sandbox.它说：

Being in the SandBox also means the app has no direct access to any other app or service running outside of the app’s sandBox. Access to other apps or services is facilitated by Windows itself with a defined set of APIs with in the runtime environment.