Somehow I have the sinking feeling that the most popular "killer app" for webassembly will be circumventing user preferences like "never auto-play" - or thwarting ad blockers.
WebAssembly doesn't grant any extra permissions into the inside of the browser sandbox. Audio and canvas HTML elements already exist and don't have any innate connection to WebAssembly. (If you ignore performance, WebAssembly could be entirely polyfilled into old browsers that didn't support it through a Javascript interpreter.)
Yep, people seem to have a hard time understanding that WebAssembly doesn't add any new functionality, it just makes what JS can already do more performant (for cases that benefit from it). WebAssembly by itself is actually running inside a more restrictive sandbox even.
It's not about permissions. It's about decoding video using WebAssembly and rendering it on canvas. Browser can't prevent it. Now I'm not sure that it wasn't possible before WebAssembly... Decoding some tiny video should not be that resource-intensive. Also you could just utilize GIF.
It is about permissions. You can autoplay video just fine with HTML5. But you can't do it with sound. And how would your WebAssembly decoded video play sound? Right, using the exact same HTML5 media elements. WebAssembly doesn't allow you to somehow do different things in the page. It only allows some computations but to actually have any output it has to resort to the same APIs that your normal JS uses.
It's a bit hard to understand what the problem is, sorry.
You can block video and sound auto-play altogether, or just audio, or none, in `about:preferences#privacy`, and choose or check exceptions you've granted, but if I read the grand-parent comment correctly, an appropriate setting has already been put in place.
Additionally, if the website really wants to play audio against a visitor's will, it can try to hijack clicks and touch events. There are some plans to tighten this, the spec was designed to allow implementing various policies. It should also be possible to write a content blocker for this as a Web Extension (maybe it already exists).
Does this happen on all websites? On some websites, that you could possibly share with us, so we can have a look and understand what's up ?
Can anybody that is not satisfied about this open a ticket at https://mzl.la/363s8KN, and put in `:padenot` in the box `Request information from` (log in with github or a bugzilla account) with some info about the websites ? An alternative would be to send me an email, username at mozilla.com.
I don't suppose you dismissed one of those "totally GDPR compliant" cookie bars right before that, did you? (You may have to think very hard; it's basically muscle memory for us these days...)
I've seen this trick in the wild. "No autoplay" means "no autoplay without some user interaction first". And clicking one of those "I accept" buttons is indistinguishable from clicking on any other random element to make it play a video. So they just made the "I accept" button play the video as well as dismiss whatever thing was probably covering up the website.
More to the point, it's about decoding documents using WebAssembly and rendering that on canvas, thus circumventing browser-based discrimination between legitimate and malicious content.
This already happened. It's why the Chromium team doesn't allow blocking video completely because they saw the advertisers just working around the issue by making custom players. Those players were bloated and heavy so by blocking video for the user they didn't actually help block video and they made the problem worse.
So yes, with or without wasm, people will roll their own ways of trying to get your attention.
After playing around with immediate mode GUIs in WebAssembly, I can envision a future which renders any kind of content blocker obsolete. The internet could be turned into cable television. I don't want to sound overly pessimistic, but it seems very plausible that this is the future we will eventually end up with.
The thing with WASM though is you can always intercept it at the edges where it interacts with the DOM. The usual ad blocking tactics of either deleting particular arrangements of DOM nodes, blocking specific js/wasm payloads, and blocking specific domain names will still be unaffected. The tactics don't even need to change.
If an entire UI (content plus ads) is drawn with wasm onto a canvas (the way Qt WebAssembly does it), it will be impossible to use CSS to hide ads, and possibly more difficult to modify the script to disable the ad-loading functions.
Doesn't sound very feasible, as this would make user experience probably much worse. No native elements, no browser integration or extensions, interaction with the page, and accessibility. They all would suffer.
Right but my point is you can _already_ do this in javascript, but people largely don't. The playing field doesn't change with WASM. If some WASM code creates a canvas-based ad, we can use the usual tactics to block it (delete the element by ID/selector/etc or block that particular WASM payload)
Google is an advertising company. It would make sure there is a way to get your site indexed, perhaps by providing an alternate machine-readable version just to them. As a bonus, that version would not be available to potential competitors.
This technique is essentially the same as websites made entirely in Flash back in the day. And back then, the only way to have Google index your site was to provide a separate (hidden) version that used normal, semantic HTML.
Googlebot runs a full web browser these days and executes javascript to a certain extent. WASM will have the same treatment if/when it becomes widespread if it doesn't already.
it's an ad industry thing, not a site thing. The ad industry would really have to build the solution to host on the sites, and the problem then becomes making something every site can reasonably host, and all the headaches associated with that.
And I have the suspicion that doing it wouldn't add much to the bottom line of the company who invested in it, despite how much they like to complain about ad-blockers.
Wasm has a pretty simple execution model, wouldn’t be hard to write something that preprocesses wasm code during load, similar to what you can do with java classloaders.
Declaring something obsolete doesn't make it so. Flash went away because of iPhone and rise of mobile app and still it took about a decade for it to be irrelevant. Without a similar tectonic shift, it would take longer.
I don't think WASM can write to its code memory to self-decrypt. At some point, the WASM has to create a DOM node containing the decrypted script, at which point you can process the code.
It’s long been possible to decode H.264 using JavaScript (which obviously uses way more power than the native decoder). This is why browsers only restrict audio playback rather than actually autoplaying video.
