└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # How to Disable WebAssembly (WASM) 2 | 3 | WebAssembly (WASM) is an effort to increase performance of in-browser Javascript execution by introducing a 4 | highly-optimized binary format that executes at near-native speed. The potential of WASM is quite exciting 5 | with enoumous potential. All major browser vendors have enabled WebAssembly by default. 6 | 7 | ## Security Considerations 8 | 9 | WebAssembly increases the attack surface of any browser that supports it. In security engineering, countermeasures 10 | are typically employed to reduce risk to potential threats. Here are a few concerning aspects of WebAssembly: 11 | 12 | * Web server sends WASM modules to browser in binary format 13 | * WebAssembly execution relies on browser sandboxing for safety 14 | * Transmission and execution does not require TLS, HSTS, or any other transport layer security mechanism 15 | * Integrity checking is not possible as WASM modules are not required to be signed by their author 16 | * A primary WebAssembly goal is to: *provide developers with useful primitives and mitigations for developing safe applications*. 17 | 18 | Based on the above facts, here are some potential threats in using browsers that support WebAssembly: 19 | 20 | * Static code analysis becomes increasingly difficult as source code may not be available 21 | * Sandboxing is prone to breakouts and effectiveness varies largely by implementation. Adobe Flash is an 22 | example of a technology that was sandboxed after a series of exploits, yet exploits and breakouts still occurred. 23 | * Transmitting a binary executable format over an insecure channel is susceptible to man-in-the-middle attack. 24 | * Code signing, the process of verifying software has not been tampered with, is not currently possible with WASM. 25 | WASM is selling itself as the ability to run desktop-like applications in the browser, yet the operating systems 26 | it supports all have code signing requirements for installed software. Allowing random drive-by software to execute 27 | unsigned seems to be a 'feature' of WebAssembly. 28 | * WebAssembly assumes that 'safe applications' can be derived from language subsets and a few rules to prevent 29 | specific type of behavior. This is similar to blacklisting in the security world, a technique that rarely works. 30 | The specification omits the possibility of misuse cases from their security dialog. Exploits can occur in 'safe applications' 31 | simply by using the application in a way it wasn't designed to run. Since static code analysis is not currently 32 | possible, automatically identifying potential performance, insider-threats, security, and misuse cases is not possible. 33 | 34 | The WebAssembly specification does not address any of the above threats. Therefore, I have disabled WASM on my personal 35 | browsers and have discountinued use of browsers that do not allow WASM to be disabled. To be fair, many of the threats 36 | above also apply to Javascript, which **can** be statically analyzed or outright disabled. 37 | 38 | ## Disabling Guidance 39 | 40 | **Edge** 41 | 42 | Unknown. I do not use Windows so if someone knows the answer to this, please submit a pull request. 43 | 44 | **FireFox** 45 | 46 | Enter about:config in the URL bar and change javascript.options.wasm to false 47 | 48 | **Chrome/Chromium** 49 | 50 | Chrome must be launched with the following command-line argument: `--js-flags=--noexpose_wasm`. On Windows and Linux/Unix, simply appending the argument after the chrome executable is all that's required. For example: 51 | 52 | `chrome --js-flags=--noexpose_wasm` 53 | 54 | On macOS, the syntax is a bit different. 55 | 56 | ```bash 57 | open /Applications/Google\ Chrome.app --args --js-flags=--noexpose_wasm 58 | ``` 59 | On Windows, modifying the registry may also be beneficial in order to maintain state between Chrome auto-updates. 60 | ```ini 61 | HKEY_CLASSES_ROOT\ChromeHTML\shell\open\command 62 | HKEY_CLASSES_ROOT\http\shell\open\command 63 | HKEY_CLASSES_ROOT\https\shell\open\command 64 | ``` 65 | Uncheck the write permission on these keys so that the changes persist on next auto-update of Chrome. Thanks to @tophf for providing information about the flag and registry settings. 66 | 67 | **Brave** 68 | 69 | The Brave browser (Laptop edition) is based on Chromium and the same command-line argument works on Brave as well. 70 | 71 | **Safari** 72 | 73 | Safari does not have advanced about:config functionality and the Developer mode does not have an option to 74 | disable WASM. If someone knows how to disable in Safari, please submit a pull request. 75 | --------------------------------------------------------------------------------