[fpc-pascal] WebAssembly Target

Graeme Geldenhuys mailinglists at geldenhuys.co.uk
Thu Mar 16 15:25:31 CET 2017

On 2017-03-16 13:07, Karoly Balogh (Charlie/SGR) wrote:
> Yes, but it is important to know there's a difference with Java Applets,
> Flash and Silverlight - WebAssembly is not a plugin. It runs in the same
> VM which runs everything Javascript in the browser. So the browser vendors
> have full control on the code which runs there.

And this brings me to my next worry. As far as I understand, WebAssembly
is C (for now - other languages to follow) compiled into WebAssembly
bytecode. So now we have C code with all its pointer access, buffer
overflow issues etc running in the web browser space - at least Java
Applets were a lot safer in that regards, and Java Applets require
explicit signed executables and granted permission by the end-user (per
app, per domain etc). WebAssembly just runs - no questions asked.

Then we have the issue of code being obfuscated when compiled into
bytecode. So now it is even harder to detect malicious code.

The more I look at this, the more of a nightmare (security wise)
WebAssembly looks. Now we will have a cross-platform incubator for
malicious viruses, free to run in the web browser space, access to
low-level hardware, and all without explicit asking for or being granted
permission to run (ie: like Java Applets).

It seems I am not alone in thinking this way. Just read the comments
posted at the link listed in the first message of this thread.


More information about the fpc-pascal mailing list