Slashdot Mirror

← Back to Stories (view on slashdot.org)

All Major Browsers Now Support WebAssembly (bleepingcomputer.com)

Posted by BeauHD on from the it's-about-time dept.

An anonymous reader writes: "It took only two years for all browser vendors to get on the same page regarding the new WebAssembly standard, and as of October 2017, all major browsers support it," reports Bleeping Computer. Project spearheads Firefox and Chrome were the first major browsers to graduate WebAssembly from preview versions to their respective stable branches over the summer. The second wave followed in the following weeks when Chromium-based browsers like Opera and Vivaldi also rolled out the feature as soon as it was added to the Chromium stable version. The last ones to ship WebAssembly in the stable branches were Apple in Safari 11.0 and Microsoft in Microsoft Edge (EdgeHTML 16), which is the version that shipped with the Windows 10 Fall Creators Update. Both were released last month. WebAssembly, or wasm, is a bytecode format for the web, allowing developers to send JavaScript code to browsers in smaller sizes, but also to compile from C/C++/Rust to wasm directly.

35 of 243 comments (clear)

  1. Original Article by theweatherelectric · · Score: 5, Informative

    Better to get content from the source. BleepingComputer appears to just read Mozilla blogs and repackage them as its own. Here's the original Mozilla blog post.

  2. Well that's unfortunate. by Anonymous Coward · · Score: 5, Insightful

    Already about 1/2 of web pages I can only get to work by using "view source" and clipping out links from the source which for some idiotic reason the site wants to demand javascript to do something that pure HTML could do just fine, such as display an image or move to another URL when you click on the link.

    Can't wait until that has yet another layer of obscuration due to WebAssem.

    The modern web's idiocy only ever grows larger and larger. Can't wait for WebAssem based obscuring images over the text you're trying to read, or more obscured privacy obliterations or the like. At least firefox will have a way to shut that idiocy off.

    1. Re:Well that's unfortunate. by Anonymous Coward · · Score: 4, Insightful

      Just wait for WebAssembly to be the next Flash/malware ad vector.

      Personally I hope it fails. The web browser should never have been an "app" ecosystem, because browsers can't keep their shit together.

    2. Re:Well that's unfortunate. by lucm · · Score: 4, Informative

      Already about 1/2 of web pages I can only get to work by using "view source" and clipping out links from the source

      Whatever possible damage you think javascript can cause you is tiny compared to your current nightmarish internet experience. Maybe it's time to move on.

      --
      lucm, indeed.
    3. Re:Well that's unfortunate. by TheRaven64 · · Score: 4, Informative

      I have a colleague working on formal verification of WebAssembly. Part of this has involved fuzzing various WebAssembly implementations. There are a lot of bugs in all of them, though Edge is by far the worst (reproduceable crashes are hard, because it crashes randomly on most of his test inputs, but at different points).

      It's also a pretty horrible design. It's replaced HSAIL as my go-to example for how not to design a good IR.

      --
      I am TheRaven on Soylent News
    4. Re:Well that's unfortunate. by TheRaven64 · · Score: 5, Insightful

      If you send a lot of random shit at something, of course it's going to crash.

      If your thread model for something that is expected to accept random crap from the Internet is 'it's fine as long as input is well formed', then you are going to have a lot of fun dealing with security vulnerabilities. Contrary to your assertion, well-written code does not crash when you send it a lot of random shit, it gracefully handles errors.

      --
      I am TheRaven on Soylent News
    5. Re:Well that's unfortunate. by Anonymous Coward · · Score: 2, Funny

      Exactly! Stop being different, get baa-aa-aack in line.

  3. Chrome & Safari are only browsers that matter by Anonymous Coward · · Score: 2, Insightful

    Let's be honest with ourselves here, as of late 2017 the only browsers that matter are Chrome and Safari. Together they have about 85% of the entire market. IE/Edge comes next. Firefox, Opera and Vivaldi barely register.

    Chrome, and to a lesser extent Safari, define what the web is. If they don't support a web technology, it effectively does not exist. If they support a technology, it's a standard.

    Wasm's success will be fully determined by how well Chrome and Safari support it. It doesn't really matter if Firefox does or doesn't support it. Firefox's 2% or 3% of the market doesn't matter at all.

  4. Re:Chrome & Safari are only browsers that matt by theweatherelectric · · Score: 2

    Firefox, Opera and Vivaldi barely register.

    So change that. Apathy is useless. Use Firefox or Opera or Vivaldi.

  5. Re:Chrome & Safari are only browsers that matt by Anonymous Coward · · Score: 3, Informative

    Firefox's 2% or 3% of the market doesn't matter at all.

    Firefox is currently the 3rd most popular, with 13% market share. source.

  6. This is great but. by Mr0bvious · · Score: 3, Interesting

    It's not much use until the vast majority of users have adopted these compatible browser versions.

    Not being intentionally negative, but how long will this take in reality?

    --
    Never happened. True story.
    1. Re:This is great but. by Daltorak · · Score: 2

      It's not much use until the vast majority of users have adopted these compatible browser versions.

      Not being intentionally negative, but how long will this take in reality?

      Not long.

      caniuse.com says that 67% of browsers currently in use in North America support WebAssembly. The 33% breaks down like this: 10% iOS 9/10, 6% IE, 4% Edge, 3% Samsung browsers, and 10% for every other rickety thing out there.

      Give iOS 10 -> 11, Safari 10 -> 11, and Edge 15 -> 16 upgrades another 3 months to roll through (these are all safe and good-quality updates), then WebAssembly availability will be over 80%. That's good enough to take a dependency on. Millions of people keep on using IE, Android Browser and Opera Mini, which aren't getting any updates at all, and nearly 100% of those people have access to another device or browser which does support WebAssembly.

  7. Re:Chrome & Safari are only browsers that matt by Anubis+IV · · Score: 2

    That's the desktop browser share, but the majority of Internet browsing has been on mobile for several years now, so citing desktop numbers without providing any context is rather disingenuous.

    When you look at overall browser usage, Firefox falls back to 4th with a 6-7% share (behind either IE or a Chinese mobile browser I had never heard of), depending on whose numbers you use. And regardless of whose numbers you use, Chrome + Safari account for about 2/3 of all browser usage (with Chrome alone accounting for about 1/2).

  8. Re:Sick of idiots and bump stocks... apk by barbariccow · · Score: 2

    This is way too coherent to be the real APK. And missing the barrage of links to questionable pages. Fail.

  9. Re:Chrome & Safari are only browsers that matt by AvitarX · · Score: 3, Interesting

    Which is a shame, because webasm is what it is because of mozillas asm.js

    They really had the right approach and it won.

    I say this using firefox at work and often wishing it was chrome (default search and printing suck on FF).

    --
    Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  10. Worst idea ever. by Anonymous Coward · · Score: 5, Interesting

    What most people don't realize is webassembly is just a way to obfuscate the web in the same manner people already obfuscate compiler binaries.

    Furthermore it will lead to integrated 'all in one' scripts that cannot be easily disentangled, making it harder for end users to filter what scripts on a website they are running.

    Additionally it no doubt has engineered defects in it to help national intelligence apparatus' to more easily exploit target browsers, while also providing fingerprint opportunities far more opaque than even current browsers capabilities to deanonymize you.

    Think twice before you let webassembly ruin the web for you!

  11. Re:Does WASM support general execution? by nateman1352 · · Score: 4, Informative

    In general, yes you can. One important thing to keep in mind is that not all libraries are available in wasm. Obviously win32 won't work, and most C++ GUI toolkits have not been posted to render to a HTML 5 canvas yet.

    Another big hole IMHO is there is no native support for garbage collected languages yet. The thing that excites me the most about this is once GC is enabled we could potentially see a Python implementation that runs in the browser (without having to recompile CPython to wasm, which would be huge and slow.) You could also do stuff like compile Java/C#/Adobe Flash directly to wasm and completely eliminate the terrible Flash/Silverlight/Java plugins.

  12. You got your C code in my browser! by Sir+Holo · · Score: 2

    FTSubmission: WebAssembly, or wasm, is a bytecode format for the web, allowing developers to send JavaScript code to browsers in smaller sizes, but also to compile from C/C++/Rust to wasm directly.

    [emphasis mine]

    Who wants websites running arbitrary C code on their machines? C is a real programming language. Probably the flagship used for most of the software you buy. It is powerful and widely known. So why let any old website that you visit execute code, probably in the background, on their own machine?

    I see lots more 'sploits coming down the pipe as wasm is implemented. With real languages at their fingertips, tons of unaware users who will effectively let anyone have access to their electricity and CPU time without even knowing.

    This just swings the door wide-open for a flood of Trojan code, actual code, not JS, all over the web running who-knows-what bit-miner, or distributed child-porn torrent node, or who knows what? It's like a giant, anonymous Beowulf cluster capability (where you lose). . . on top of all of those "Punch the Monkey" Ads suddenly freed to fly around over the text you're trying to read... or constantly right under you pointer, like a big Ad-flag hanging there permanently while on the offending site.

    Wait, Tabs aren't sand-boxed similarly to browser windows... Are they? I hope so.

    Many people think that the browser IS the internet!

    There will be chaos.

  13. Re:Chrome & Safari are only browsers that matt by boudie2 · · Score: 2

    slashdot still works in w3m
    https://en.wikipedia.org/wiki/...

  14. Tremendous mistake by Okian+Warrior · · Score: 5, Insightful

    I think Web Assembly is a tremendous mistake.

    This will end up being nothing more than an insecure vector for people you don't know to run programs on your computer.

    1) It claims to be secure by only executing in a sandbox. Have other attempts at sandboxing had security flaws?
    2) Assuming the sandboxing works as advertized, is there a way for the sandboxing to break the sandbox in ways the coders hadn't considered? (Such as periodically using a lot/little CPU time or memory as a way to communicate to a different tab?)
    3) Can Web Assembly be used to steal CPU cycles, so your computer can be used for BitCoin mining or anything else while visiting a web page? (And no, that they can do this already doesn't invalidate the argument.)
    4) Does Web Assembly add a level of obfuscation to the code, making it harder to see what it's doing?

    We once had a period where E-mail attachments were automatically opened and run, where Excel macros activate when a spreadsheet is viewed, and where myriad ActiveX libraries were available for use by anyone.

    Anyone remember that era?

    We've locked down the ability to install and run programs on our computers, but now we've moved the goalposts. Our browser will now download and run programs for us from any random website, any website that contracts out to an agency to supply advertizing, and and website advertizing contractor who doesn't vet his clients.

    "Oh, we're so sorry! That malware delivery got through our vetting process. We've terminated that one client, please feel safe downloading the ads from all of our other clients - they're clean. Pinky swear! :-)"

    For the next 10 years expect to see a steady stream of exploits and patches. A mini industry will crop up selling antivirus checkers for web pages, and AdBlock extensions for browsers.

    It's deja vu all over again.

    1. Re:Tremendous mistake by Hal_Porter · · Score: 2

      Rowhammer attacks in Javascript were able to cross VMs.

      https://media.ccc.de/v/32c3-71...

      And obviously if you have byte code the possibilities for obfuscation are really good. E.g. MOVfuscator the 'single instruction compiler'

      https://www.youtube.com/watch?...

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    2. Re:Tremendous mistake by ByteSlicer · · Score: 5, Interesting

      I think Web Assembly is a tremendous mistake. This will end up being nothing more than an insecure vector for people you don't know to run programs on your computer.

      Not to spoil a good rant, but Web Assembly is just a more compact serialization (binary instead of text) of a subset of EcmaScript/JavaScript.
      Everything you can do with it, you could already do with normal scripts, and it was already very common to "minify"/obfuscate these scripts into an unreadable mess.

      So, if there are security issues with WAsm, they're also present in plain JS, and were already present a couple of years ago.
      The only thing that changes is that your browser now doesn't need to download as much data for scripts, since the binary format acts as a compression.

    3. Re:Tremendous mistake by nateman1352 · · Score: 4, Interesting

      No doubt about it, wasm has all the problems that all other prior attempts at sand-boxing binary blobs of code in the web browser have had. You hit the major ones.

      Here's the thing though, the web circa 10 years ago had 3 competing mechanisms to implement sand-boxed binary blobs:

      1. Adobe Flash
      2. Java
      3. Silverlight
      Prototypes for Google NaCl were starting to show up around this time too.

      All of these had their own sand-box implementation, and they were not sand-boxed themselves, so the surface area for attack was much higher. So HTML 5 tried to do away with that, but then PNaCl and asm.js show us that no matter how hard we try to get rid of binary blobs of code on the web, someone implements it anyway. So, given that there have been persistent attempts by the various large web players for the past 20 years to build binary code blobs in to web pages, and that there is no sign of it slowing down, the most sensible compromise to me is basically what wasm has become... a standardized mechanism for building those binary blobs that can be directly integrated in to the browser.

      It does have its problems like you note, but its better that we only have 1 standardized sand-box implementation, and that sand-box implementation is bundled in with a bunch of other high risk code as part of the browser package, which is easy to keep vigilantly updated. Even before wasm, gone were the days of the web browser being a simple document layout renderer. The web browser is basically a visualized operating system... Google has taken this to IHMO a very dangerous extreme, see the Javascript USB API for example. The web browser is basically a run time for USB device drivers at this point. To me wasm seems like the inevitable end result of the path that HTML 5 started us down.

    4. Re:Tremendous mistake by garethjrowlands · · Score: 5, Interesting

      ... Web Assembly is just a more compact serialization (binary instead of text) of a subset of EcmaScript/JavaScript.....

      Much of what you say is morally true. But it's not technically true.

      It's true that wasm is a binary serialisation of an abstract syntax tree (AST) but that AST is defined _without reference to JavaScript_, see https://github.com/WebAssembly... . In contrast, the asm.js spec is genuinely a subset of JavaScript.

      You're right that wasm doesn't introduce new capabilities to the browser as such. In the current 'MVP' version of wasm, the only way to invoke web assembly is via JavaScript, and the only way for wasm code to interact with the browser is via JavaScript.

      But it does make certain scenarios, such as running large compiled C programs, much more practical. It is, by design, a far more efficient compilation target than JavaScript or asm.js, see https://github.com/WebAssembly... . For example, we can expect Unity running on wasm to become commonplace, see http://webassembly.org/demo/ .

      ...if there are security issues with WAsm, they're also present in plain JS,...

      You can't be sure of that. The wasm codepaths will reuse much of the existing JavaScript execution engine but there will be new code and that new code could - and probably will - have security vulnerabilities. But probably no more than any other major browser feature.

    5. Re:Tremendous mistake by Big+Hairy+Ian · · Score: 2

      The only thing that changes is that your browser now doesn't need to download as much data for scripts, since the binary format acts as a compression.

      It should also execute faster as bytecode is much less processor intensive to interpret than JavaScript and therefore more efficient. So even if someone does use WAsm to mine BitCoin it will still steal less processor cycles per coin of course they will simply generate more coins anyway.

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    6. Re:Tremendous mistake by AmiMoJo · · Score: 3, Interesting

      The Javascript USB API is actually a good idea. It's better than the current situation with binary drivers, especially on Linux where they run in the kernel.

      For safe operation of USB you need the low level stack only in the kernel, the part that does the low level I/O and is extremely robust. Then there is a userland USB stack that sits on top of it, handling descriptors and I/O functions for userland drivers/applications.

      The Javascript USB API adds some extra protection. Firstly, instead of having a bunch of random drivers with near zero quality control, you have just the browser. A browser that is security hardened and well tested. And all the browser does is provide some simple access mechanisms to various USB features like pipes and descriptors. The code that actually talks to the device, the place where most of the vulnerabilities are, is now sandboxed Javascript.

      Even better, the browser prints you for permission to access the device. USB was designed around an insecure plug-and-play model, deliberately not requiring any user interaction for devices to start working. With the Javascript USB API, the user has to give explicit permission.

      The main issue I have with the Javascript USB API is the same one as I have with all web applications - loss of freedom. I can't run old versions, I can't do much if they make changes I don't like, I probably can't fork it. But security-wise it's actually a good idea, it adds more layers of security.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  15. Re:Chrome & Safari are only browsers that matt by darkain · · Score: 4, Interesting

    Because Opera is 1) more stable, 2) has more features. Built in ad-block without any add-ons. Built in VPN without any add-ons. Built in communication tools without any add-ons.

    Google shoves blind A/B tests to live end-user clients without any notification or sign-ups whatsoever. I've had this break countless times in a corporate environment and spent days debugging this shit. One time they changed the DNS resolver code on a hand full of "test" users to an implementation that took 60+ seconds to resolve DNS addresses. Luckily, I found a buried post on the Google Help forums which described this broken behavior and which setting to disable in the chrome://flags window. But even that window just lists things as "default", not "FORCED ENABLED FOR A/B TESTING". There is literally no way to tell if you're in a test or not. And more recently, they absolutely broke printer support for a month or two, killing all web based invoicing one of my clients was doing.

    Opera? They wait for things to stabilize, then port them over to their browser. Its literally just been night and day in terms of stability switching off of Chrome and moving 100% full time over to Opera.

  16. How to disable it? by mrwireless · · Score: 2

    I couldn't find any browser plugins that block Web Assembly.

    I also couldn't find any way to disable it through settings or about:config in Chrome or Chromium.

    Any tips? Is anyone working on this?

    1. Re:How to disable it? by Anonymous Coward · · Score: 2, Informative

      Firefox about:config, set:

      javascript.options.wasm = false
      javascript.options.asmjs = false

  17. Re:Java Applets by dmpot · · Score: 2

    This sounds an awful lot like browser-based java virtual machine circa 1995.

    It only appears so at first glance. WebAssembly is a logical continuation of asm.js, which based on experience of developing of high-performance JavaScript engines. The goal of WebAssembly is to use existing Javascript engines to archive close to C performance within browsers, i.e. something that asm.js already does to lesser degree. In contrast, Java VM was developed to run independently from web browsers, and though you can run it inside a web browser, it's not integrated nearly as well with the browser.

    In many ways, WebAssembly is very different than JavaVM. For instance, WebAssembly does not have a GC, while JavaVM relies on it. WebAssembly allows only structured control flow, while you can have an arbitrary control flow in Java. (The restriction on the control flow makes validator for WebAssemply bytecode rather trivial, which helps both with loading speed and security.)

    In short, WebAssembly is a VM developed with web browsers in mind, while JavaVM was developed with different priorities.

  18. Great. Another crappy standard... by Brane2 · · Score: 2

    And they started so well.
    Initial idea of their parent project was to replace interpreted stuff with native code where possible and low-level intermediate code where it isn't ( that could be trenslated without much CPU effort).
    This means that browser would host basically just a VM machine, where it would run the code, natively in most cases.

    What it evolved into was just another mix of java/script...

    Who needs that ?

  19. Re:Java Applets by TheRaven64 · · Score: 2

    WebAssembly is explicitly designed to be separate from a web browser. The working group is actively seeking non-web uses and has not provided DOM integration in the first versions (you must go via JavaScript to touch the DOM). Oh and the restriction on flow control in WebAssembly is brain dead: validating CFI for arbitrary graphs of basic blocks is a solved problem and was a decade ago, but trying to compile a C codebase using goto or some of the more interesting variations on a switch statement into WebAssembly requires O(n^2) algorithms and potentially an O(n^2) increase in bytecode size, which the WebAssembly JIT has to then undo to be able to generate something whose performance doesn't suck.

    --
    I am TheRaven on Soylent News
  20. Re:Complexity by hcs_$reboot · · Score: 2

    Of course this

    console.log("Hello world");

    once obfuscated

    var _0xa9ff=['log','Hello\x20world'];(function(_0x50318f,_0x347f74){var _0x4aa6cf=function(_0x1a665d){while(--_0x1a665d){_0x50318f['push'](_0x50318f['shift']());}};_0x4aa6cf(++_0x347f74);}(_0xa9ff,0xaa));var _0xfa9f=function(_0x276a74,_0x406450){_0x276a74=_0x276a74-0x0;var _0x534cc5=_0xa9ff[_0x276a74];return _0x534cc5;};console[_0xfa9f('0x0')](_0xfa9f('0x1'));

    is much more readable.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  21. Intermediate representation by tepples · · Score: 2

    In the context of LLVM, JVM, CLR, and WebAssembly, IR means intermediate representation:

    An Intermediate representation (IR) is the data structure or code used internally by a compiler or virtual machine to represent source code. An IR is designed to be conducive for further processing, such as optimization and translation.

  22. So, by BitztreamNotARealNam · · Score: 2

    How's life in the hypocrite lane?