Seems very premature to say the Wasm has "won" when it's only just come out. People were saying Flash had "won" when all the browsers had it embedded by default a decade ago.
Browsers removed Flash support, they might end up rendering Wasm useless by putting it behind loads of permission warnings.
There's also the chance it'll end up lacking as it is and it'll end up being a useless appendage that gets killed off.
Wasm doesn't need permission warnings since by default the sandbox is very restrictive.
I think the reason Browser removed Flash was more because it was an absolute security nightmare for the Browser vendors and they had to fully rely on Adobe to patch the worst of it.
Wasm on the other hand leverages the Javascript VM so browsers don't have that problem. And they don't depend on an external vendor either.
"...Wasm doesn't need permission warnings since by default the sandbox is very restrictive.."
Upcoming changes to WASM include threading and shared memory. Unless browser makers implement those features in a manner that slows the machine to a crawl, WASM certainly will be getting some security warnings. Either because security minded organizations will disable it, or because browser makers will be honest and up front about the risks with those features. (There will be either security implications, or performance implications because they implemented the new features in a secure fashion.)
What exactly are the risks with these features that don't already exist with web workers and SharedArrayBuffer? There's the obvious Spectre issue; anything apart from that?
Rowhammer doesn't need either shared memory or spectre and spectre is largely eliminated by browsers running as much as possible in different threads and then relying on OS protections, there isn't much remaining risk
"...spectre is largely eliminated by browsers running as much as possible in different threads and then relying on OS protections..."
???
Do you mean Meltdown?
Spectre is the evasive one. New variants are being found even up to today. SpectreRSB is a rather nasty one that was found 3 or 4 days ago. (Or rather, they told us about it 3 or 4 days ago for instance.)
Anyway, point is, there are no OS protections against variants of Spectre. I'm not sure how there even could be, some of these variants have been known publicly for 3 or 4 days as I said. So right now trying to patch Spectre is a lot like playing Whack-a-Mole. Personally, I think we'll end up having to live with CPU side channel attacks for the foreseeable future. People will just learn, probably the hard way, not to download untrusted executable code.
Of course, that tendency to say "no" on the part of consumers will probably impact WASM. But that should be expected.
Browsers removed Flash support, they might end up rendering Wasm useless by putting it behind loads of permission warnings.
There's also the chance it'll end up lacking as it is and it'll end up being a useless appendage that gets killed off.