Hacker News new | past | comments | ask | show | jobs | submit login

The last thing we need in hindsight to Meltdown and Spectre is running untrusted binaries in the browser aka WebAssembly.

Btw deactivating WebAssembly support in Chrome 63 (up-to-date) doesn't work anymore!!

  chrome://flags/#enable-webassembly
Setting it to "deactivated" does nothing, WebAssembly is still active.



I keep saying that WebAssembly is the revenge of Flash, Applets, Silverlight, ActiveX,...

Just wait until it gets a bit more mature.

It will be the same fun as when Ads moved away from Flash into HTML 5/JavaScript.


Well, in general the problem with flash was the plugin wasn't well isolated, and often would crash the browser, and before NT-based windows was common the entire OS pretty readily (presumes windows). Not to mention the security track record. Browser isolation, and how well it will likely be with wasm is quite a bit different.

That said, it will lead to more closed commercial sites, but the JS outputted from webpack+babel+uglify is already unbelievably difficult to wade through without source maps. It's not significantly different imho.


> untrusted binaries

afaik, wasm is not 'binaries' in that it's not an arbitrary blob of machine code fed right into the cpu. it's still running in a sandbox (a la javascript) including similar limitations wrt CORS etc.


And a sandbox so powerful that all the browser vendors just turned off SharedArrayBuffer.

https://www.chromium.org/Home/chromium-security/ssca

https://blog.mozilla.org/security/2018/01/03/mitigations-lan...

WASM is portable binaries.


well, i guess in the same way that javascript or anything else is, when there are sandbox escapes. bugs are a thing.


> it's still running in a sandbox (a la javascript)

People frequently make this comparison upon hearing the term sandbox, but this is a weak comparison. Yes JavaScript executes in a sandbox, but the JavaScript (JIT) sandbox is purely for performance instead of isolation, which is like comparing a pencil sharpener to a bulldozer just because they are both portable machines. A better comparison of the JavaScript (JIT) sandbox is the JVM.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: