Webassembly is good but doesn't the thought scare you that sites will now be able to run full binary programs on your devices?

Until now, they were able to run interpreted JavaScript. However obfuscated it may be, you can always read it or at least scan its source to ensure its not doing anything wrong.

But webassemblies are just binary blobs or black boxes, so to speak. That code is able to do literally anything to your devices. Aren't you concerned by this fact?

Comments

[Nikola Stojaković]

But webassemblies are just binary blobs or black boxes, so to speak. That code is able to do literally anything to your devices.

That's not how it works. WebAssembly is a binary instruction format, but it doesn't mean you have actual binaries which are executed by the underlying system. It will be used in browser's sandboxed environment, just like JavaScript.

WebAssembly describes a memory-safe, sandboxed execution environment that may even be implemented inside existing JavaScript virtual machines. When embedded in the web, WebAssembly will enforce the same-origin and permissions security policies of the browser.

👉 webassembly.org

[Austin S. Hemmelgarn]

Compiled web assembly isn't native machine code. In fact, it couldn't be native machine code, otherwise it wouldn't be portable. It's just like JVM or CLR byte-code in that respect, though it's easier to disassemble than both.

On top of that though, it's run in an environment pretty much equivalent to JavaScript in terms of security (so, reasonably good security short of hyper-targeted attacks).

[Jeremy Forsythe]

Not at all. They are designed to be safe.

[Tari R. Alfaro]

Read what Nikola and Austin said. You need special Web Assembly compilers for your language of choice. It's NOT low-level machine code that could be run on any particular OS or bare metal.