[cryptica]

I disagree because obfuscated JavaScript would already be suspicious as it is not that widespread as an industry practice. The standard industry practice for JS is minification, not obfuscation; so you can still see what functions are called and any developer can quickly identify if there is a suspicious looking AJAX request to a strange URL.

With WASM, you can't see anything. It's a complete black box. It's a lot easier for a hacker to hide stuff from users. It's easier to sneak in malicious code and it's harder to identify and remove it.

[bexsella]

Minification is a form of obfuscation, and a lot of libraries and commonly used scripts are purposely completely unreadable. show_ads.js, for example, is nonsense, so it's not unreasonable for a hacker to sneak into ad code, insert some dubious lines of code that does more or less anything they'd want. There are easy was to mitigate this for sure, but it doesn't seem that WASM makes this point worse. Surely you could just as easily spot an AJAX request from a strange URL while utilising WASM too?

[Silhouette]

With WASM, you can't see anything. It's a complete black box.

That isn't a problem in itself, as long as the only mechanisms for the black box to interact with anything else are well-defined and properly secured.

Put another way, I shouldn't need to decompile arbitrary WASM code downloaded by some site I visit, as long it's only allowed to do anything through APIs that I'm happy with.