I’d argue that having a sandbox that can run binaries with a limited and customizable feature set is actually a good thing for the web. I think there are more technically competent solutions, but the fact that WASM is available on virtually every machine and os, makes it pretty powerful.
If implemented right WASM might speed up our web apps, keep the browser sandbox that is actually quite nice, and run on pretty much any machine. If they open sourced the code, thst’d be even better.
Between minified js and WASM, I think I’d take WASM (I can’t understand minified js anyway). Between a pure html site and WASM, I think I’d take the pure html site (but I don’t think we will be living in that world anytime soon).
The difference between minified JS and WASM is that you can un-minify one with relatively good results, whereas decompiling WASM is similar to decompiling normal binaries - pretty hard to read. This means that even experienced users can’t really understand or change WASM binaries.
For WASM you can probably use tools like ghidra to decompile and read.
Minified js not a lot better then raw ASM, single letter names and crazy optimisation patterns will make your life hell. Patching both I think is out of the question, maybe just inject some new js that interact with the DOM.
Did a bit of reverse engineering on binaries in my life, and also spent too much time reading the youtube minified js. Both are hard as hell.
The problem with sandboxes is that there isn’t a perfect prision. Eventually, ways will be found to break out of it, and there will be bad actors that will take advantage of such.
I’ll grant that COM, ActiveX, and Adobe/Shockwave Flash turned out to be security nightmares.
But maybe it’ll be fine this time…/s
It’s technically possible that widespread use of hallucination-prone AI code-assist is the quality control tool that was missing in the several previous attempts…
So much website JavaScript these days is just poor design, tracking, and bloat.
And it will get worse with WASM. At least now we can see the entirity of the code and even patch it if required, and WASM might make that way harder.
I’d argue that having a sandbox that can run binaries with a limited and customizable feature set is actually a good thing for the web. I think there are more technically competent solutions, but the fact that WASM is available on virtually every machine and os, makes it pretty powerful.
If implemented right WASM might speed up our web apps, keep the browser sandbox that is actually quite nice, and run on pretty much any machine. If they open sourced the code, thst’d be even better.
Between minified js and WASM, I think I’d take WASM (I can’t understand minified js anyway). Between a pure html site and WASM, I think I’d take the pure html site (but I don’t think we will be living in that world anytime soon).
The difference between minified JS and WASM is that you can un-minify one with relatively good results, whereas decompiling WASM is similar to decompiling normal binaries - pretty hard to read. This means that even experienced users can’t really understand or change WASM binaries.
For WASM you can probably use tools like ghidra to decompile and read.
Minified js not a lot better then raw ASM, single letter names and crazy optimisation patterns will make your life hell. Patching both I think is out of the question, maybe just inject some new js that interact with the DOM.
Did a bit of reverse engineering on binaries in my life, and also spent too much time reading the youtube minified js. Both are hard as hell.
The problem with sandboxes is that there isn’t a perfect prision. Eventually, ways will be found to break out of it, and there will be bad actors that will take advantage of such.
I’ll grant that COM, ActiveX, and Adobe/Shockwave Flash turned out to be security nightmares.
But maybe it’ll be fine this time…/s
It’s technically possible that widespread use of hallucination-prone AI code-assist is the quality control tool that was missing in the several previous attempts…
I completely agree.
However, I still would rather have all the websites I visit pass through my browser’s api than be making straight syscalls.
I think it’s not perfect security but a good line of defense.
See: the web pyramid, from The Website Obesity Crisis.