Slashdot Mirror
All Major Browsers Now Support WebAssembly (bleepingcomputer.com)
An anonymous reader writes: "It took only two years for all browser vendors to get on the same page regarding the new WebAssembly standard, and as of October 2017, all major browsers support it," reports Bleeping Computer. Project spearheads Firefox and Chrome were the first major browsers to graduate WebAssembly from preview versions to their respective stable branches over the summer. The second wave followed in the following weeks when Chromium-based browsers like Opera and Vivaldi also rolled out the feature as soon as it was added to the Chromium stable version. The last ones to ship WebAssembly in the stable branches were Apple in Safari 11.0 and Microsoft in Microsoft Edge (EdgeHTML 16), which is the version that shipped with the Windows 10 Fall Creators Update. Both were released last month. WebAssembly, or wasm, is a bytecode format for the web, allowing developers to send JavaScript code to browsers in smaller sizes, but also to compile from C/C++/Rust to wasm directly.
What most people don't realize is webassembly is just a way to obfuscate the web in the same manner people already obfuscate compiler binaries.
Furthermore it will lead to integrated 'all in one' scripts that cannot be easily disentangled, making it harder for end users to filter what scripts on a website they are running.
Additionally it no doubt has engineered defects in it to help national intelligence apparatus' to more easily exploit target browsers, while also providing fingerprint opportunities far more opaque than even current browsers capabilities to deanonymize you.
Think twice before you let webassembly ruin the web for you!
I think Web Assembly is a tremendous mistake. This will end up being nothing more than an insecure vector for people you don't know to run programs on your computer.
Not to spoil a good rant, but Web Assembly is just a more compact serialization (binary instead of text) of a subset of EcmaScript/JavaScript.
Everything you can do with it, you could already do with normal scripts, and it was already very common to "minify"/obfuscate these scripts into an unreadable mess.
So, if there are security issues with WAsm, they're also present in plain JS, and were already present a couple of years ago.
The only thing that changes is that your browser now doesn't need to download as much data for scripts, since the binary format acts as a compression.
... Web Assembly is just a more compact serialization (binary instead of text) of a subset of EcmaScript/JavaScript.....
Much of what you say is morally true. But it's not technically true.
It's true that wasm is a binary serialisation of an abstract syntax tree (AST) but that AST is defined _without reference to JavaScript_, see https://github.com/WebAssembly... . In contrast, the asm.js spec is genuinely a subset of JavaScript.
You're right that wasm doesn't introduce new capabilities to the browser as such. In the current 'MVP' version of wasm, the only way to invoke web assembly is via JavaScript, and the only way for wasm code to interact with the browser is via JavaScript.
But it does make certain scenarios, such as running large compiled C programs, much more practical. It is, by design, a far more efficient compilation target than JavaScript or asm.js, see https://github.com/WebAssembly... . For example, we can expect Unity running on wasm to become commonplace, see http://webassembly.org/demo/ .
...if there are security issues with WAsm, they're also present in plain JS,...
You can't be sure of that. The wasm codepaths will reuse much of the existing JavaScript execution engine but there will be new code and that new code could - and probably will - have security vulnerabilities. But probably no more than any other major browser feature.