Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

WebAssembly can interact with JavaScript, and JavaScript can access the DOM. This was a compromise to reduce attack surface and implementation effort, to get a version 1 out the door. Allowing direct DOM access would have required implementors to harden every individual DOM API to make sure the new call path doesn’t open any security holes. The WASM-to-JS layer is comparably tiny, and the JS-to-DOM layer is already there and (hopefully) secure.


But doesn't it defeat the point of using WebAssembly, since you have to pass everything through JavaScript anyway (and therefore it's at the speed of JavaScript)?


In cases where you care about performance, yes. Newer webassembly frameworks (rust from what i remember) are batching operations to the DOM for that exact reason.


But if WASM can call JS, and JS can then interact with the DOM, then doesn't tat allow WASM to exploit security holes in the DOM?




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: