Closed Bug 1456308 Opened 6 years ago Closed 6 years ago

Make WebAssembly optional

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Version:
59 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: u474838, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180323154952

Steps to reproduce:

Before WebAssembly is enabled by default, can we please introduce a switch like we have for WebGL or the collection of WebRTC switches? This would be a tremendous help in avoiding the situation we have with JavaScript where we need to fight ill-behaving or malicious JS by using extensions to filter and control page behavior.

WebRTC, WebGL, WebAssembler can all be useful, but unconditionally giving pages another angle to inject questionable payloads does not align with 2018 security standards. We have enough of those already, including pathological cases of CSS that can DoS a browser session.

Let's have pages request WebAssembly like they have to for persistent storage or notifications and integrate it with the planned overhaul of the permission popup/setting dialogs.

To be clear, I'm not trying to offend or troll, just making a suggestion how the feature can be introduced in a way that its power can be tamed by users without the need for another extension.

Another consideration, in addition to the permission, is, of course, introducing space and time bounds for WebAssembly, maybe similar the JS hang check.
I mean, observing the various projects that have begun releasing WebAssembly targets, it's clear that if we're not careful, we will soon be in a renaissance of ActiveX controls, Java applets, Flash applets. The various device access standards make this more evident. I don't want to have to run Firefox in a virtual machine with fake (virtual) devices just to keep it under control when fed questionable payloads.
Blocks: wasm
Component: Untriaged → JavaScript Engine: JIT
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
Thanks for the report.

It is already possible to entirely disable WebAssembly with the about:config preference called javascript.options.wasm (set it to false instead of the "true" default). I am pretty sure that the Tor browser does this already, in highly secured modes.

> WebRTC, WebGL, WebAssembler can all be useful, but unconditionally giving pages another angle to inject questionable payloads does not align with 2018 security standards.

WebAssembly control flow is safe (no arbitrary goto), and all memory accesses are sandboxed, etc.. The only plausible way to attack it is through an exploit in the browser itself. In that manner, WebAssembly is not more safe or unsafe than any other new API we add. I don't think this should prevent us from implementing new APIs because of the introduced attack surface.

> Let's have pages request WebAssembly like they have to for persistent storage or notifications and integrate it with the planned overhaul of the permission popup/setting dialogs.

This doesn't sound plausible, as WebAssembly is likely to be used in frameworks any time soon (references: [1] [2]), so asking the user's permission to use WebAssembly would be a major source of annoyance in day-to-day usage on popular web sites.

> Another consideration, in addition to the permission, is, of course, introducing space and time bounds for WebAssembly, maybe similar the JS hang check.

Such time checks already happen, as with JS: after more than 10 seconds (by default) executing, the slow script hanger should show up. If it does not, it is an issue and I invite you to open a new bug about it. We are also considering throttling background tabs which use WebAssembly with a high CPU load (bug 1401628).

[1] React: https://www.youtube.com/watch?v=3GHJ4cbxsVQ
[2] Ember: https://www.youtube.com/watch?v=qfnkDyHVJzs&feature=youtu.be&t=5880
Thanks for the fast return, Benjamin. I realize my request is in conflict with
general goals, though please allow me to at least try to make a point and
plead for a change of policy when introducing advanced features. I'm still
not trolling.

(In reply to Benjamin Bouvier [:bbouvier] from comment #2)
> Thanks for the report.
> 
> It is already possible to entirely disable WebAssembly with the about:config
> preference called javascript.options.wasm (set it to false instead of the
> "true" default). I am pretty sure that the Tor browser does this already, in
> highly secured modes.

Thanks. I didn't think of searching for 'wasm', just tried 'assembly'.

> WebAssembly control flow is safe (no arbitrary goto), and all memory
> accesses are sandboxed, etc.. The only plausible way to attack it is through
> an exploit in the browser itself. In that manner, WebAssembly is not more
> safe or unsafe than any other new API we add. I don't think this should
> prevent us from implementing new APIs because of the introduced attack
> surface.

WASM's performance profile has inspired many use cases that were deemed
impractical before to target WASM. This mean, we are on the verge of
an ActiveX/Applet/Flash revival.

> This doesn't sound plausible, as WebAssembly is likely to be used in
> frameworks any time soon (references: [1] [2]), so asking the user's
> permission to use WebAssembly would be a major source of annoyance in
> day-to-day usage on popular web sites.

The following is more of a stream of thought and possibly incoherent
in some places. If so, please bear with me.

Given the new power unleashed, and the, some would argue, less transparent
format (bytecode vs JS script), plus the plan for having large code caches
for WASM, it has to be an annoyance. Nobody wants random sites activating
cameras or initiating WebRTC traffic and maybe participate in an illegal
webtorrent seed, but that's what's possible today because the only permissions
we are asked for is for microphone and camera, not peer connections.

I absolutely understand the argument that by enabling WASM by default we
are not really worsening the security profile of a default browser session.
However, just because JS and other features have been chosen to be enabled
unconditionally a long time ago, doesn't justify repeating the mistake
with WASM. All of these advanced and risky technologies have to be opt-in.

It's already risky to run a browser in the same user profile as the one
with all your sensitive files which might be extracted by malicious JS,
and we're trusting that the browser doesn't have bugs here which allow
a page to overreach and abuse the file APIs. Once we give access to
WASM, the door is wide open, more than before.

I opened this bug knowing the decisions has probably been made already
and features are higher prioritized than security, and I'm also aware
that my arguments are not strong enough to sway the team's opinion,
though I will still officially object and advise against opt-out.
We already have too many features that should be opt-in and often
on-demand opt-in. For instance, WebRTC networking, file access APIs,
advanced CSS and DOM, remote fonts, and especially the ability to
run JavaScript in the first place.

If you're thinking WASM and all the browser features are a nice way
to deploy applications in a better fashion than native applications
in the past, then consider the fact that you have no idea of telling
what payload is running upon a 2nd visit to a page you have previously
approved as trustworthy to get access to all features. Maybe we can
get signatures for pages and have clear separation, in order to notice
anytime something changes in a web page/app, and then reject it when
it suddenly decides to do more than initially promised.

> Such time checks already happen, as with JS: after more than 10 seconds (by
> default) executing, the slow script hanger should show up. If it does not,
> it is an issue and I invite you to open a new bug about it. We are also
> considering throttling background tabs which use WebAssembly with a high CPU
> load (bug 1401628).

Great, but that wouldn't hinder a malicious payload, since they could
strategically insert yield points to avoid hangs.
I would certainly like to argue further for a change in defaults, but I can
imagine it will be an uphill battle. So since javascript.options.wasm solves
part of the problem, I won't object if you decide to close this as WONTFIX
on grounds of different security-vs-features priorities on your part. No offense
taken or intended, just a little frustration that we have to fight for a
safe, unobtrusive, power efficient browser experience.
> Nobody wants random sites activating cameras or initiating WebRTC traffic and maybe participate in an illegal webtorrent seed, but that's what's possible today because the only permissions we are asked for is for microphone and camera, not peer connections.

Note that activating the camera should always cause a permission pop-up to show up, unless the user has permanently authorized to use the camera on that given website. WebRTC indeed leaks personal info (IP address), but it also provides many very useful features, like instant video chat between random people without any central server, p2p multiplayer game, and as you said WebTorrent, allowing decentralized alternatives to e.g. YouTube to flourish [1]. It's not only black or white here.

Same thing happens with wasm: there are wasm crypto miners on the one hand, and AAA-rated video games running in web browser (without plugins!) thanks to wasm on the other hand.

> Maybe we can get signatures for pages and have clear separation, in order to notice anytime something changes in a web page/app, and then reject it when it suddenly decides to do more than initially promised.

Good news, everyone! Such a feature already exists and is called subresource integrity [2]. More generally, note that every security feature implemented by the browser may help for WebAssembly, since it is Just The Web: SRI as I just said, but also CSP (which could forbid dynamic evaluation of wasm modules on web pages), etc.

> Great, but that wouldn't hinder a malicious payload, since they could strategically insert yield points to avoid hangs.

Indeed; it might be a story of heuristics (and a game of cat and mouse), but this could be eventually addressed.

> No offense taken or intended, just a little frustration that we have to fight for a safe, unobtrusive, power efficient browser experience.

If that's any consolation, wasm only has access to the same features as JavaScript; it just executes faster and is more compact as a transport format. Disabling wasm would create a precedent and the same arguments could be used for requesting to disable JavaScript as well, which would be quite a usability disaster, considering how JS is prevalent in modern web sites.

Bear with me, I hear and understand your concerns about safety. However, security always has been a tradeoff between what we want to protect versus what features we want. If you're concerned about wasm, then you should be concerned about JS too, and then you can use the NoScripts addon or entirely disable JS/wasm (as Tor does in the highest secured mode, if I remember correctly).

I think there are too many good things coming with wasm, and requesting opt-in for every single use would be a UX nightmare: I can imagine a non technical person would be frightened by such a question and just imagine the worse can happen if they accept to use it, so they would decline most of the time. This could result in poor usage, thus preventing wasm to accomplish its first goal, which is to make web apps much faster to start and to run. Of course we could explain what wasm is and what is the security risk, but people might not want to make the time to go read such notices.

I am also afraid this sail has shipped a long time ago, and wasm has been approved at many levels months ago. It is also implemented in every other major browser, so disabling it would make it a huge competitive disadvantage for Firefox, unless all agreed to change the way it's used. I hope my comments slightly convinced you that the situation is not as bad as initially expected. I don't know if there's anything else we can do on the browser side (that is, doing something that wouldn't require disabling wasm entirely or requesting explicit permissions with a hanger). Considering this, I propose that we close this as WONTFIX. Thanks for taking the time to give us feedback, though.

[1] https://joinpeertube.org/en/
[2] https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
I'm glad we make the same assessment, albeit with different perspectives
and priorities. While I can see the usefulness of unconditional peer
connections and it allowing torrenting in the browser, this is exactly
the kind of feature that might result in a lawsuit aimed at browser
makers. Many users of Firefox or Chrome live in places where you can
easily get a cease and desist or worse for having participated certain
torrents. This means, if the user's browser can, unbeknownst to him,
use WebRTC to seed something or otherwise use one of the many features
to upload and share copyrighted material, they will be in trouble and
rightfully wonder how this could happen. It's like pages mining Monero,
except that your browser is implicating you in a crime.

Now, in an ideal world scripting and the ability to have the browser
do random things on the Internet would be used to modernize laws such
that the mere lookup of a DNS entry or connection to a website or
involuntary torrenting will not be base to hold the user liable. The
argument would be that browsers are autonomous due to pages possessing
the ability to control the behavior. It would be like if browsing
a website in your Tesla would give it access to the driving system and
make it navigate your car into an accident, prohibited area, or just
ignore traffic rules.

In a browser we can make this less of an issue by making the opting in
a better user experience and implementing heuristics and better filtering
mechanisms that don't need to rely on 3rd party extensions. Once we have
better mechanisms and UX for this, it will be like in the mobile space,
users wondering why foobar.com needs to access my contacts, join a
torrent, connect to www.highly-questionable.com, and access the camera
while doing so (maybe taking pictures of the person who supposedly
browsed the site with illegal content).

I know this is radical, but with the current laws it's dangerous to
use a browser since a web page can attempt to access all kinds of
remote URLs, some of which is enough to get people in jail. People
have been jailed for the mere existence of certain messaging apps
or loading the web page of said app, in some nations. I mean,
if your browser started to access the 2018 replacement of backpages.com,
judge and jury will be against you, and you will have a hard time
arguing it wasn't you but the browser. It takes people that understand
how the web works to get you acquitted, and I fear we will need one
prominent case before laws are introduced that reflect the reality
of browsers and autonomous vehicle or IoT devices that do things
on their own without consent by the owner.



Since you asked how we could improve the situation, I can make a proposal
what might help tremendously. Everyone that is aware of the risks involved
of running a 2018 browser without filters has considered or is using some
extension to selectively control website behavior. What this means is that
browsers haven't yet adopted the full set of security controls we have for
things like iOS apps.

My proposal or wish list would be this:

- improve permission popups and management of saving permissions to be
  less obtrusive and safer

- get more inspiration from Tor Bundle Browser and promote things that
  uMatrix or NoScript allow you to do as real features, not just knobs
  and extension based filter injections. This means, we would have to
  improve the way such filters can be implemented, making them first
  class similar to Safari's or Opera's ad filter systems. This is again
  going in the direction of adopting safety features from the mobile
  app systems. We can learn a lot from Tor Bundle Browser and mobile
  apps here.

- you know, if I navigate to bugzilla.mozilla.org and the new permission
  system is in place, the page will work but have disabled parts due to
  needed opt-in. With the right conventions this could be presented in
  a way that is obvious while preserving safety and privacy.


Or better yet move more things into encrypted P2P, making it normal
to do P2P and it being impossible to tell what kind of traffic your
browser participated in, restoring privacy, if done right and the
P2P app/protocol doesn't expose crucial details. This is the naive
technical solution that will be fought and tried to be outlawed
like E2E messaging getting popular has shown us.
So while, as you say, the ship may have sailed on changing defaults, when we
have the better opt-in and filtering mechanism, it's as easy as providing
something like Developer Edition in that it flips a security level switch
that you can also do in the regular channel. It's like installing a different
browser from the uneducated/unaware user's perspective, with the aim to get
a safer experience, all the while having the default Firefox session accept
and execute any kind of random payload.

The existence of browser variants and the pilot program give me confidence
that we can still fix the situation.
You need to log in before you can comment on or make changes to this bug.