@exponentialverteilt Last time I checked (which was 2020, I admit), there was no defined way to do integrity checking for wasm binaries on the user side. In times of Pegasus I find that hard to swallow.
So, with WASM, the code is still sandboxed, just like JS running on the V8 engine or the Mozilla JS engine. Also, although way harder to read, you can still access and debug the WebAssembly. You can even inspect the stack as it runs.
@jwildeboer Run your browser inside a container. 📦
@themue on qubeos. Yeah, sure. But that is kind of a dystopia, not the shiny happy web world I hope for.
@jwildeboer When I already see how systems like https://gitpod.io run a complete VS Code in your browser while backend OS runs in a container in their data center it's already crazy. Wrote my first web application as Perl CGI in 1998. With PostgreSQL as DBMS, for issue management. Pages had been dumb and everything had been done on the server.
@jwildeboer as I see it, the compiled/transpiled and minimized JavaScript running in your browser already is kind of proprietary. WASM will just make this proprietary, possibly malicious code run faster.
@jwildeboer I don't think code being #wasm will be a huge change - the JavaScript that runs now may be proprietary or not, and either minimized or asm.js compiled by enscripten about as unreadable.
My hope: #wasm will be the basis for a new generation of efficient, secure (strong sandboxing, capabilities) cross platform apps. A better, lower-level redo of the JVM, inside and outside the browser!
Sandboxing/capabilities particularly helps securely using dependencies, great for FOSS.
@jwildeboer I'm far from a web security professional, but IMHO the attack surface doesn't shift that much. Also without #wasm, bugs in rendering engines are found on a regular basis. #wasm now provides a different API for doing things, hopefully designed very carefully. But in the end, browsers are browsers and the best protection is and will probably™ ever be the layer 8.
I consider #wasm as a step in the right direction, because I'm allergic to #Javascript