This is right, WASM is far, far from being production ready, as it's a really unsafe option that will be a step back from the current web. Wasm is just a compiled bytecode that executes in the browser, it's usually C, C++ or Rust code in the background but once compiled to wasm it looks like this:
Good luck debugging this, and more importantly, good luck trying to figure what is this code meant to do on the client side. This code is much much harder to analyze than JavaScript because Wasm is a binary format whereas JavaScript is clear text. While malicious actors often heavily obfuscate JavaScript, deobfuscation is still relatively easy. By bringing Wasm into the game, bad guys get new ways to hide and obfuscate the intentions of their code.
And as there is still no viable WASM analyzers, an WASM app is just a blackbox to the user. The only thing that you can do is to analyze network requests and see if there is something suspicious there. In other words, say hi to the coin miners on every site, as with Wasm based approach, the return of investment will be higher for the malicious actors, since heavy math calculations can be done faster with Wasm than with JavaScript. To date, the majority of Wasm samples analyzed have been associated with cryptocurrency miners. Another opportunity for an attacker may be exploitation of hardware bugs.
On the side note it should be pointed out that Wasm is not intended to be seen as a replacement for JavaScript, but rather as a complement. For example, Wasm modules may be used for performing computation intensive tasks and JavaScript (and HTML) for providing the UI and gluing things together.
I guess that whole situation will improve with time, but, sadly, we're not there yet. Until then you can take a look here to learn how to disable WASM in the browsers.
Full-time web dev; JS lover since 2002; CSS fanatic. #CSSIsAwesome
I try to stay up with new web platform features. Web feature you don't understand? Tell me! I'll write an article!
He/him
On the side note it should be pointed out that Wasm is not intended to be seen as a replacement for JavaScript, but rather as a complement. For example, Wasm modules may be used for performing computation intensive tasks and JavaScript (and HTML) for providing the UI and gluing things together.
Yeah, this is what I meant when I said the following:
while the current counter argument is that that's just factually false, since WASM functions need to be imported into JS and run from there, that needn't always be true; if enough of the community clamors for end-to-end WASM apps, it'll probably happen eventually.
My concern is that while it's currently the case that WASM is no JS replacement, I don't necessarily trust that it will remain true, especially given how loud the cry was from the "JS sucks" community that WASM will finally let us write for the web in "real languages" etc etc. I'm not catastrophically worried or anything, I think the developers of WASM have a stake in keeping it scoped pretty narrowly for the time being at least, but I don't think we can predict what the web will look like in 5-10yrs; I could see WASM turning into a core part of the web platform that can be used independently of JS, and I agree with your concerns if that does happen. Not ready to disable WASM just yet, though; squoosh.app is just too good 😁
That's right, once again 😄Web is evolving rapidly, and while my comment might seem grim and in disfavor of WASM, I really hope that it can evolve into something like Js today but without its bad parts. Sharing, collaboration, and open source are the keys for the better future, and I wouldn't want to see web locked down and obfuscated.
This is right, WASM is far, far from being production ready, as it's a really unsafe option that will be a step back from the current web
I agree is far from being ready. I don't think it's inherently unsafe, it's boxed in the same box JS is. Regarding the step back or forward it really, really depends on what developers do and what becomes popular in the next few years. If all devs do with WebAssembly is "I can't wait to recompile my desktop app, ship it in the browser, call it quits and who cares about the web" yeah, we'll have a problem. But if it's used as a performance enhancer and used in conjunction with JS, why not?
Good luck debugging this, and more importantly, good luck trying to figure what is this code meant to do on the client side. This code is much much harder to analyze than JavaScript because Wasm is a binary format whereas JavaScript is clear text.
WebAssembly has a text format though, not as readable as a normal programming language but I'm quite sure "view source" tools that make our lives easier will appear. I think it's too early to decide if WebAssembly will doom us all or not.
I guess that whole situation will improve with time, but, sadly, we're not there yet.
That's why we're saying it will take some time to become mainstream :)
I don't necessarily trust that it will remain true, especially given how loud the cry was from the "JS sucks" community that WASM will finally let us write for the web in "real languages" etc etc.
This is a real thing, but I also don't think that developers will start throwing all the web principles out of the windows just because they can finally code a textarea using Go. That's bonkers in my opinion. Also: WebAssembly still needs to talk to JS and has only a few types, I reckon that writing an entire app might even be counter productive :D
Not ready to disable WASM just yet, though; squoosh.app is just too good 😁
Squoosh is a perfect example of why one would use WebAssembly for the transformation functions to alter images and JS for the rest of the app
Full-time web dev; JS lover since 2002; CSS fanatic. #CSSIsAwesome
I try to stay up with new web platform features. Web feature you don't understand? Tell me! I'll write an article!
He/him
For more background on squoosh and the tech that went into it, in case you're interested: youtu.be/ipNW6lJHVEs
It was built by a Google team including some of the more public faces, like Mariko Kosaka and Jake Archibald, who present the talk at that link. It's a pretty neat discussion of PWAs, WASM, and applying them practically on the web now
Full-time web dev; JS lover since 2002; CSS fanatic. #CSSIsAwesome
I try to stay up with new web platform features. Web feature you don't understand? Tell me! I'll write an article!
He/him
I was going to comment this myself, though I wasn't sure how usable the WASM text version is; I haven't read much about it. x86 has a text version as well, but it's horrible, haha. From the samples I have read it does seem like WASM's text version is much, much more readable and usable than traditional textified ASM.
I don't think developers will start throwing all the web principles out of the windows just because they can finally code a textarea using Go.
I doubt that too, I think what I'm more nervous about is an influx of Go (or other language) developers who start saying, as you said, "I can't wait to recompile my desktop app, ship it in the browser, call it quits and who cares about the web".
Just to say it again, I'm not super pessimistic about any of this, I think our community is far more resistant to negative change than that. We're a very self-critical community that is willing to reconsider best practices over time, despite what some may say. And because of that, I think it's worth talking about the things that we need to avoid, so as to "immunize" ourselves against possible future bad practices.
I really appreciate the input from everyone in this thread; I've learned a lot, and I have a lot to think about 🙂
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
This is right, WASM is far, far from being production ready, as it's a really unsafe option that will be a step back from the current web. Wasm is just a compiled bytecode that executes in the browser, it's usually C, C++ or Rust code in the background but once compiled to wasm it looks like this:
Good luck debugging this, and more importantly, good luck trying to figure what is this code meant to do on the client side. This code is much much harder to analyze than JavaScript because Wasm is a binary format whereas JavaScript is clear text. While malicious actors often heavily obfuscate JavaScript, deobfuscation is still relatively easy. By bringing Wasm into the game, bad guys get new ways to hide and obfuscate the intentions of their code.
And as there is still no viable WASM analyzers, an WASM app is just a blackbox to the user. The only thing that you can do is to analyze network requests and see if there is something suspicious there. In other words, say hi to the coin miners on every site, as with Wasm based approach, the return of investment will be higher for the malicious actors, since heavy math calculations can be done faster with Wasm than with JavaScript. To date, the majority of Wasm samples analyzed have been associated with cryptocurrency miners. Another opportunity for an attacker may be exploitation of hardware bugs.
On the side note it should be pointed out that Wasm is not intended to be seen as a replacement for JavaScript, but rather as a complement. For example, Wasm modules may be used for performing computation intensive tasks and JavaScript (and HTML) for providing the UI and gluing things together.
I guess that whole situation will improve with time, but, sadly, we're not there yet. Until then you can take a look here to learn how to disable WASM in the browsers.
Yeah, this is what I meant when I said the following:
My concern is that while it's currently the case that WASM is no JS replacement, I don't necessarily trust that it will remain true, especially given how loud the cry was from the "JS sucks" community that WASM will finally let us write for the web in "real languages" etc etc. I'm not catastrophically worried or anything, I think the developers of WASM have a stake in keeping it scoped pretty narrowly for the time being at least, but I don't think we can predict what the web will look like in 5-10yrs; I could see WASM turning into a core part of the web platform that can be used independently of JS, and I agree with your concerns if that does happen. Not ready to disable WASM just yet, though; squoosh.app is just too good 😁
That's right, once again 😄Web is evolving rapidly, and while my comment might seem grim and in disfavor of WASM, I really hope that it can evolve into something like Js today but without its bad parts. Sharing, collaboration, and open source are the keys for the better future, and I wouldn't want to see web locked down and obfuscated.
Also, that's really cool app :D Tnx for share!
@puritanic
I agree is far from being ready. I don't think it's inherently unsafe, it's boxed in the same box JS is. Regarding the step back or forward it really, really depends on what developers do and what becomes popular in the next few years. If all devs do with WebAssembly is "I can't wait to recompile my desktop app, ship it in the browser, call it quits and who cares about the web" yeah, we'll have a problem. But if it's used as a performance enhancer and used in conjunction with JS, why not?
WebAssembly has a text format though, not as readable as a normal programming language but I'm quite sure "view source" tools that make our lives easier will appear. I think it's too early to decide if WebAssembly will doom us all or not.
That's why we're saying it will take some time to become mainstream :)
@kenbellows
This is a real thing, but I also don't think that developers will start throwing all the web principles out of the windows just because they can finally code a textarea using Go. That's bonkers in my opinion. Also: WebAssembly still needs to talk to JS and has only a few types, I reckon that writing an entire app might even be counter productive :D
Squoosh is a perfect example of why one would use WebAssembly for the transformation functions to alter images and JS for the rest of the app
We'll see! :)
For more background on squoosh and the tech that went into it, in case you're interested: youtu.be/ipNW6lJHVEs
It was built by a Google team including some of the more public faces, like Mariko Kosaka and Jake Archibald, who present the talk at that link. It's a pretty neat discussion of PWAs, WASM, and applying them practically on the web now
thanks!
I was going to comment this myself, though I wasn't sure how usable the WASM text version is; I haven't read much about it. x86 has a text version as well, but it's horrible, haha. From the samples I have read it does seem like WASM's text version is much, much more readable and usable than traditional textified ASM.
I doubt that too, I think what I'm more nervous about is an influx of Go (or other language) developers who start saying, as you said, "I can't wait to recompile my desktop app, ship it in the browser, call it quits and who cares about the web".
Just to say it again, I'm not super pessimistic about any of this, I think our community is far more resistant to negative change than that. We're a very self-critical community that is willing to reconsider best practices over time, despite what some may say. And because of that, I think it's worth talking about the things that we need to avoid, so as to "immunize" ourselves against possible future bad practices.
I really appreciate the input from everyone in this thread; I've learned a lot, and I have a lot to think about 🙂