Abstract: A product on demand nozzle assembly includes a chamber at least partially defined by an external wall and an array of vertically spaced nozzles. Each nozzle has an air inlet, an air and entrained product outlet extending from the external wall, and an entrainment zone between the air inlet and the air and entrained product outlet to receive a product therein to be distributed.

Abstract: Techniques for content handling for applications are described. In one or more implementations, a first set of content handling policies is enforced for a first portion of an application that is permitted to invoke code elements of the computing device and a second set of content handling policies is enforced for a second portion of the application that is not permitted to invoke the code elements. Further, a determination is made whether to apply the first set of content handling policies or the second set of content handling policies to content based on which portion of the application is requesting the content.

Abstract: An application based hardware identifier is generated for an application on a device. The application based hardware identifier is generated based on both information describing the application and information describing one or more hardware components of the device. The application based hardware identifier can also optionally be based on an identifier of a user of the device. The application based hardware identifier can be provided by the application to a service provider, allowing the service provider to associate the application based hardware identifier with a particular user or user account. However, as the application based hardware identifier is based on the application information, different applications on the same device will have different application based hardware identifiers. The application based hardware identifier thus helps maintain privacy by preventing tracking of the device across different applications.

Abstract: A computing device includes a view control that manages presentation of electronic content on the computing device. The presentation can include displaying content, audibly playing back content, and so forth. The view control is made available to multiple different applications on the computing device. To use the view control, an application provides to the view control an indication of a resolver for the view control to use. The electronic document includes references to electronic content, and the view control requests the referenced electronic content from the resolver. The resolver obtains the referenced electronic content, decodes (e.g., decompresses, decrypts, etc.) the obtained electronic content, and returns the decoded electronic content to the view control for display or other presentation.

Abstract: A package identifier for a package from which an application is installed on a computing device is obtained. The package identifier is assigned to each of one or more processes created for running the application and, for each of the one or more processes, whether the process is permitted to access a resource of the computing device is determined based at least in part on the package identifier.

Abstract: Content inspection techniques are described. In one or more implementations, it is detected that an application executing on a computing device is calling a particular code element of a group of code elements to be used to process content. For example, the group of code elements can include a pre-specified group of code elements (e.g., functions and/or properties) that may enable access to particular functionalities of a computing device and thus are associated with a known security risk. It is then ascertained that the content is untrusted and, in response to ascertaining that the content is untrusted, the content is inspected to determine if the content is safe to be passed to the code element.

Abstract: Per process networking capability techniques are described. In one or more implementations, a determination is made as to whether access to a network capability is permitted for a process that is executed on the computing device based on a token that is associated with the process. The token has one or more security identifiers that reference one or more network capabilities described in a manifest. The access to the network capability is managed based on the determination.

Abstract: A package identifier for a package from which an application is installed on a computing device is obtained. The package identifier is assigned to each of one or more processes created for running the application and, for each of the one or more processes, whether the process is permitted to access a resource of the computing device is determined based at least in part on the package identifier.

Abstract: A package identifier for a package from which an application is installed on a computing device is obtained. The package identifier is assigned to each of one or more processes created for running the application and, for each of the one or more processes, whether the process is permitted to access a resource of the computing device is determined based at least in part on the package identifier.

Abstract: A computing device includes a view control that manages presentation of electronic content on the computing device. The presentation can include displaying content, audibly playing back content, and so forth. The view control is made available to multiple different applications on the computing device. To use the view control, an application provides to the view control an indication of a resolver for the view control to use. The electronic document includes references to electronic content, and the view control requests the referenced electronic content from the resolver. The resolver obtains the referenced electronic content, decodes (e.g., decompresses, decrypts, etc.) the obtained electronic content, and returns the decoded electronic content to the view control for display or other presentation.

Abstract: An application based hardware identifier is generated for an application on a device. The application based hardware identifier is generated based on both information describing the application and information describing one or more hardware components of the device. The application based hardware identifier can also optionally be based on an identifier of a user of the device. The application based hardware identifier can be provided by the application to a service provider, allowing the service provider to associate the application based hardware identifier with a particular user or user account. However, as the application based hardware identifier is based on the application information, different applications on the same device will have different application based hardware identifiers. The application based hardware identifier thus helps maintain privacy by preventing tracking of the device across different applications.

Abstract: Various embodiments provide an ability to isolate execution of trusted content and/or script from execution of untrusted content and/or script. Separate contexts and/or execution environments can be used for the trusted content and untrusted content, respectively. A trusted context and/or execution environment associated with execution of trusted content can be configured to enable access to sensitive resources associated with a computing device. An untrusted context and/or execution environment associated with execution of untrusted content can be configured with limited and/or no access to the sensitive resources. Alternately or additionally, data generated within the untrusted context can be transferred to the trusted context in a benign manner.

Abstract: Various embodiments provide an ability to isolate execution of trusted content and/or script from execution of untrusted content and/or script. Separate contexts and/or execution environments can be used for the trusted content and untrusted content, respectively. A trusted context and/or execution environment associated with execution of trusted content can be configured to enable access to sensitive resources associated with a computing device. An untrusted context and/or execution environment associated with execution of untrusted content can be configured with limited and/or no access to the sensitive resources. Alternately or additionally, data generated within the untrusted context can be transferred to the trusted context in a benign manner.

Abstract: A package identifier for a package from which an application is installed on a computing device is obtained. The package identifier is assigned to each of one or more processes created for running the application and, for each of the one or more processes, whether the process is permitted to access a resource of the computing device is determined based at least in part on the package identifier.

Abstract: Content inspection techniques are described. In one or more implementations, it is detected that an application executing on a computing device is calling a particular code element of a group of code elements to be used to process content. For example, the group of code elements can include a pre-specified group of code elements (e.g., functions and/or properties) that may enable access to particular functionalities of a computing device and thus are associated with a known security risk. It is then ascertained that the content is untrusted and, in response to ascertaining that the content is untrusted, the content is inspected to determine if the content is safe to be passed to the code element.

Abstract: Techniques for content handling for applications are described. In one or more implementations, a first set of content handling policies is enforced for a first portion of an application that is permitted to invoke code elements of the computing device and a second set of content handling policies is enforced for a second portion of the application that is not permitted to invoke the code elements. Further, a determination is made whether to apply the first set of content handling policies or the second set of content handling policies to content based on which portion of the application is requesting the content.

Abstract: Capability access management techniques for processes are described. In one or more implementations, a token is formed having one or more security identifiers that reference capabilities described in a manifest for the executable code responsive to an input received to initiate execution of executable code installed on the computing device. The one or more processes formed through execution of the executable code on the computing device are associated with the token, the token usable to manage access of the one or more processes to the capabilities of the computing device.

Abstract: Per process networking capability techniques are described. In one or more implementations, a determination is made as to whether access to a network capability is permitted for a process that is executed on the computing device based on a token that is associated with the process. The token has one or more security identifiers that reference one or more network capabilities described in a manifest. The access to the network capability is managed based on the determination.

Abstract: A broker module of a computing device receives requests from an isolated application to access one or more items of an item source. In response to a request, storage item objects representing items of the item source are generated and returned to the isolated application for each item of the item source that the isolated application is authorized to access. Whether the isolated application is authorized to access a particular item can be based on particular item sources and/or particular item locations.