WebAssembly in the browser security question
Question
Assume I have a web page loaded from example.com , with some Javascript and two WebAssemblies from the same origin. I'm attempting to understand the security boundaries, but can't find a reference that puts it all together. So:
- Can either WebAssembly module directly perform HTTP operations on
example.com? (I think: yes) - Can the Javascript access any "internal" (data or code) of either WebAssembly that isn't explicitly exported? (I think: no)
- Can WebAssembly 1 access any "internal" (data or code) of WebAssembly 2 that isn't explicity exported? (I think: no)
- Can either WebAssembly access any of the Javascript (data or code)? (I think: no, unless it was a callback or such explicitly registered with it first)
What I'm really trying to get to:
- If WebAssembly 1 contains a "secret token 1", and WebAssembly 2 contains a "secret token 2", is there a way for either of them to gain access to the other's token?
1 answers
solution1
0 2021-05-14 15:55:25
If WebAssembly 1 contains a "secret token 1", and WebAssembly 2 contains a "secret token 2", is there a way for either of them to gain access to the other's token?
As they are running in the same origin, possibly yes. But you should be able to prevent this by using distinct origins via sandboxed iframes or similar.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.