[jfbastien]

A few ways that come to mind:

1. WebAssembly has almost no APIs to the platforms whereas Flash had a bunch (i.e. it's "as safe as JavaScript, because it can only call JavaScript"). 2. The code is all new, as opposed to what I hear is a hard-to-maintain older codebase which wasn't designed with security in mind. 3. It's very static in that memory accesses are pretty easy to bounds check for the compiler.

Implementation-wise there's plenty of interesting things that can be done to tighten security of WebAssembly.

[AnIdiotOnTheNet]

And how long do you think that'll last? As developers stubbornly persist in trying to make desktop applications on the web, they'll demand more and more access to the host, and browser developers will give it to them in an effort to one-up each other.

If anyone had actually cared about security on the web we wouldn't be where we are now.

[jfbastien]

Your phrasing leads me to believe that you distrust how web standards organizations approve new features? If that's not the case then I invite you to join the W3C Community Group and help avoid insecure additions w3.org/community/webassembly/

[kuschku]

That doesn’t help, as the browser vendors ignore the W3C entirely anyway, and just do stuff in the WHATWG.

And we already have a bluetooth stack for the web, USB drivers in JS, etc.

[jfbastien]

That is entirely incorrect for the WebAssembly CG and WG.

[kuschku]

The WebAssembly grouo may be different, but in every other group I've seen, the browsers simply didn't care about what everyone else was doing.

To the point that they redefined the URL spec and then complained that cURL didn't fulfill it.