So I was doing a little research about differences (if any) between the sandboxing models for Windows 8/8.1 applications and windows 10 applications when I stumbled across something rather interesting: when Oracle shipped Java package 8 update 51 a few months they added a new feature that seems to have flown way under the radar:
New Features and Changes
Operating system's restricted environment (Native Sandbox)
JDK 8u51 introduced the following changes to Native Sandbox:
Native sandbox is available on Windows platform only.
Native sandbox can be enabled or disabled through Java Control Panel->Advanced settings->Enable the operating system's restricted environment (native sandbox) or by setting deployment.security.use.native.sandbox property to true in deployment.properties file.
Native sandbox is disabled by default.
When native sandbox is enabled, the sandbox applets or web-start applications will run in a restricted environment, that is provided by the operating system. This will not affect the all-permission applications and they will continue to run as before.
The link is here. It contains a little more (very little more) information. And trying to find documentation or discussion elsewhere has turned up ... well, basically nothing. Nothing. Were it not for that bit of text in the release notes above and the existence of the new option in the UI there would be no reason to think that a new capability had been released. Strange.
Anyway, setting aside why there's an amazing lack of information out there about this "Native Sandbox" feature, does anybody actually have any further idea of what it is, and what it does? Does it move the Java VM and libraries into the sorta-semi-sandbox "Protected Mode" privilege area that IE uses? Does in take advantage of the Windows 8/8.1 and/or Windows 10 app models to put Java VM and accompanying stuff into a new Windows application sandbox. (I know Microsoft has said that in 2016 it's going to ship a capability to put traditional desktop programs into sandboxes and distribute them through the Windows 10 store, so maybe putting Java player into a Windows 10 sandbox might not be out of the question.) Something else completely? In either case, the VM would still be there, running within the extra sandbox? I'm kinda baffled.
And why hasn't Oracle said anything about this, except (apparently) on the one single page? The feature is obviously in the product. Why is it disabled by default? Is it supposed to be in testing, somehow? Anybody?
EDIT:
Doing a slightly-different Google search turned up, ironically, a very similar question already asked on Stack Exchange by someone else but unanswered. Apologies if duplicated that question...but, does anybody know anything more about this?