JavaScript is a bad programming language, but one of the benefits of it is that at least it’s high-level and interpreted, so we get at least some idea of what the website is doing, which privacy oriented browser extensions can take advantage of to block code and try and prevent the website from doing something the user doesn’t want it to do. Even things like specific event handlers and APIs can be blocked by extensions. With WebAssembly being a lower level language, could browsers and extensions end up with reduced ability to monitor and block website behavior? Especially if actions that normally require a call to the browser’s API can be compiled into standalone WebAssembly code, potentially making it impossible to completely block. There’s also the question of whether extensions will even be able to affect the WebAssembly code on websites.
Another concern I have is that WebAssembly is relatively new and there doesn’t seem to be any privacy software designed to keep WebAssembly sites in check, compared to the many browser extensions designed for JavaScript sites. This will probably get better with time, but it’s still an issue as of right now.
Should we be worried about any of this?
I don’t know much about WebAssembly (even though I’m kind of developing a browser game with it), but my opinion so far is basically yes, we should be worried, but I don’t really think, we should be particularly more worried than with JavaScript.
I always feel like modern JavaScript is mostly just an inefficient binary. The minification/obfuscation makes it unreadable already and no one will reverse-engineer the JavaScript even of popular webpages, especially since it may change at any point.
Your point about being able to block individual API calls, yeah, fair point. In theory, any API call can be blocked, if the API provider, i.e. browser developers, offer ways to do that. That for WebAssembly might be too niche for even Mozilla to implement it, though.
Like, honestly I’m not sure, if I’ve even really heard of that being used. Most JavaScript (and other) blocking is limited to blocking the loading from a particular domain, which should be just as possible for WebAssembly.
Finally, there is also just kind of two different perspectives: The advanced user trying to use the web while protecting themselves as much as possible and the average user that doesn’t protect themselves at all.
I don’t think, it will make any difference for the latter. Like, frankly the worst change for the broad masses will be that even more apps will be offered over the web, so even more dependence on completely unverifiable cloud services.