stevespringett / disable-webassembly Goto Github PK

I'm running chromium like this (this is one line):
/home/user/bin/oldbin/chro:103+ /usr/lib/chromium-dev/chromium-dev --ssl-version-min=tls1 --disk-cache-dir=/tmp/chromiumcache --disable-sync-preferences --disable-plugins --cipher-suite-blacklist=0x0001,0x0002,0x0004,0x0005,0x0017,0x0018,0xc002,0xc007,0xc00c,0xc011,0xc016,0xff80,0xff81,0xff82,0xff83 '' --enable-one-copy --disable-zero-copy --disk-cache-dir=/tmp/chromiumcache --disable-sync-preferences --disable-plugins --cipher-suite-blacklist=0x0001,0x0002,0x0004,0x0005,0x0017,0x0018,0xc002,0xc007,0xc00c,0xc011,0xc016,0xff80,0xff81,0xff82,0xff83 --disable-component-extensions-with-background-pages --disable-background-networking --disable-webgl --disable-internal-flash --disable-bundled-ppapi-flash --disable-flash-3d --disable-flash-stage3d --disable-default-apps --ssl-version-min=tls1 --disallow-autofill-sync-credential --disable-device-discovery-notifications --disable-media-source --disable-ntp-other-sessions-menu --disable-prefixed-encrypted-media --disable-touch-adjustment --disable-views-rect-based-targeting --disable-account-consistency --enable-async-dns --enable-deferred-image-decoding --enable-download-resumption --enable-drop-sync-credential --disable-material-design-ntp --disable-new-avatar-menu --disable-new-profile-management --enable-offline-auto-reload-visible-only --disable-offline-auto-reload --show-saved-copy=primary --enable-panels --disable-password-generation --enable-permissions-bubbles --disable-extensions-on-chrome-urls --disable-pinch-virtual-viewport --disable-pinch --disable-save-password-bubble --enable-session-crashed-bubble --disable-settings-window --disable-smooth-scrolling --disable-sync-app-list --disable-sync-synced-notifications --disable-touch-editing --enable-web-based-signin --enable-sandbox-logging --log-gpu-control-list-decisions --log-level=2 --enable-logging --enable-logging=stderr --enable-harfbuzz-rendertext --enable-impl-side-painting --enable-lcd-text --enable-native-gpu-memory-buffers --ui-prioritize-in-gpu-process --canvas-msaa-sample-count=0 --gpu-rasterization-msaa-sample-count=0 --disable-accelerated-video-decode --enable-gpu-compositing --enable-gpu-vsync --disable-gpu-early-init --disable-gpu-memory-buffer-compositor-resources --enable-gpu-memory-buffer-video-frames --num-raster-threads=4 --force-gpu-rasterization --enable-accelerated-2d-canvas --use-gl=desktop --disable-origin-chip --disable-overlay-scrollbar --remember-cert-error-decisions=-1 --enable-search-button-in-omnibox-always --disable-spelling-auto-correct --tab-capture-downscale-quality=fast --tab-capture-upscale-quality=fast --touch-events=disabled --wallet-service-use-sandbox=0 --show-component-extension-options --disable-hyperlink-auditing --no-pings --enable-vertical-tabs --disable-audio-support-for-desktop-share --disable-nostate-prefetch --disable-es3-apis --enable-quic --show-cert-link --enable-async-image-decoding --enable-checker-imaging --disable-module-scripts --disable-picture-in-picture --disable-heap-profiling --disable-md-feedback --disable-webvr --enable-threaded-scrolling --disable-cast-streaming-hw-encoding --disable-webgl-draft-extensions --disable-spelling-feedback-field-trial --disable-navigation-tracing --disable-javascript-harmony --disable-fast-unload --disable-experimental-canvas-features --data-reduction-proxy-lo-fi=disabled --disable-offer-upload-credit-cards --enable-clear-browsing-data-counters --enable-display-list-2d-canvas --disable-es3-apis --disable-input-ime-api --disable-offer-store-unmasked-wallet-cards --disable-password-generation --disable-push-api-background-mode --site-per-process --enable-site-settings --force-text-direction=ltr --force-ui-direction=ltr --enable-lcd-text --load-media-router-component-extension=0 --mark-non-secure-as=non-secure --reduced-referrer-granularity --secondary-ui-md --top-chrome-md=material --touch-events=disabled --wallet-service-use-sandbox=0 --enable-features=BackgroundVideoTrackOptimization,ExpensiveBackgroundTimerThrottling,FetchKeepaliveTimeoutSetting,FramebustingNeedsSameOriginOrUserGesture,HttpFormWarning,IdleTimeSpellChecking,MaterialDesignExtensions,MemoryAblation,NewAudioRenderingMixingStrategy,OffMainThreadFetch,SiteDetails,VibrateRequiresUserGesture,top-document-isolation --disable-features=NoStatePrefetch,CaptureThumbnailOnNavigatingAway,AccountConsistency,CaptureThumbnailOnLoadFinished,ClientLoFi,EnableUsernameCorrection,ExperimentalKeyboardLockUI,FeaturePolicy,GamepadExtensions,GenericSensor,IPH_DemoMode,ImageCaptureAPI,MaterialDesignIncognitoNTP,MediaRemoting,MidiManagerDynamicInstantiation,NewRemotePlaybackPipeline,OmniboxSpeculativeServiceWorkerStartOnQueryInput,OneGoogleBarOnLocalNtp,SafeSearchUrlReporting,ServiceWorkerNavigationPreload,SharedArrayBuffer,SpeculativeResourcePrefetching,TranslateLanguageByULP,TranslateUI2016Q2,UseGoogleLocalNtp,UseSuggestionsEvenIfFew,WebPayments,WebPaymentsModifiers,WebUSB,affiliation-based-matching,enable-manual-password-generation,enable-password-force-saving --disable-memory-coordinator --disable-webfonts-intervention-trigger --disable-speech-api --disable-speech-dispatcher --disable-component-update --disable-domain-reliability --component-updater=url-source=https://localhost '--vmodule=device_event_log*=1' --v8-cache-options=code --disable-asm-webassembly --js-flags=--noexpose_wasm --disable-features=AsmJsToWebAssembly --disable-features=WebAssembly,WebAssemblyStreaming --enable-tcp-fastopen --enable-experimental-canvas-features --disable-databases --disable-renderer-accessibility --js-flags=--noexpose_wasm

and I can still log into protonmail and read emails for example.
I remember not being able to log in before when web assembly was indeed disabled.

Here's chrome://version:

Chromium	76.0.3809.12 (Official Build) (64-bit)
Revision	220b19a666554bdcac56dff9ffd44c300842c933-refs/branch-heads/3809@{#83}
OS	Linux
JavaScript	V8 7.6.303.4
Flash	(Disabled)
User Agent	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.12 Safari/537.36
Command Line	/usr/lib/chromium-dev/chromium-dev --ssl-version-min=tls1 --disk-cache-dir=/tmp/chromiumcache --disable-sync-preferences --disable-plugins --cipher-suite-blacklist=0x0001,0x0002,0x0004,0x0005,0x0017,0x0018,0xc002,0xc007,0xc00c,0xc011,0xc016,0xff80,0xff81,0xff82,0xff83 --enable-one-copy --disable-zero-copy --disk-cache-dir=/tmp/chromiumcache --disable-sync-preferences --disable-plugins --cipher-suite-blacklist=0x0001,0x0002,0x0004,0x0005,0x0017,0x0018,0xc002,0xc007,0xc00c,0xc011,0xc016,0xff80,0xff81,0xff82,0xff83 --disable-component-extensions-with-background-pages --disable-background-networking --disable-webgl --disable-internal-flash --disable-bundled-ppapi-flash --disable-flash-3d --disable-flash-stage3d --disable-default-apps --ssl-version-min=tls1 --disallow-autofill-sync-credential --disable-device-discovery-notifications --disable-media-source --disable-ntp-other-sessions-menu --disable-prefixed-encrypted-media --disable-touch-adjustment --disable-views-rect-based-targeting --disable-account-consistency --enable-async-dns --enable-deferred-image-decoding --enable-download-resumption --enable-drop-sync-credential --disable-material-design-ntp --disable-new-avatar-menu --disable-new-profile-management --enable-offline-auto-reload-visible-only --disable-offline-auto-reload --show-saved-copy=primary --enable-panels --disable-password-generation --enable-permissions-bubbles --disable-extensions-on-chrome-urls --disable-pinch-virtual-viewport --disable-pinch --disable-save-password-bubble --enable-session-crashed-bubble --disable-settings-window --disable-smooth-scrolling --disable-sync-app-list --disable-sync-synced-notifications --disable-touch-editing --enable-web-based-signin --enable-sandbox-logging --log-gpu-control-list-decisions --log-level=2 --enable-logging --enable-logging=stderr --enable-harfbuzz-rendertext --enable-impl-side-painting --enable-lcd-text --enable-native-gpu-memory-buffers --ui-prioritize-in-gpu-process --canvas-msaa-sample-count=0 --gpu-rasterization-msaa-sample-count=0 --disable-accelerated-video-decode --enable-gpu-compositing --enable-gpu-vsync --disable-gpu-early-init --disable-gpu-memory-buffer-compositor-resources --enable-gpu-memory-buffer-video-frames --num-raster-threads=4 --force-gpu-rasterization --enable-accelerated-2d-canvas --use-gl=desktop --disable-origin-chip --disable-overlay-scrollbar --remember-cert-error-decisions=-1 --enable-search-button-in-omnibox-always --disable-spelling-auto-correct --tab-capture-downscale-quality=fast --tab-capture-upscale-quality=fast --touch-events=disabled --wallet-service-use-sandbox=0 --show-component-extension-options --disable-hyperlink-auditing --no-pings --enable-vertical-tabs --disable-audio-support-for-desktop-share --disable-nostate-prefetch --disable-es3-apis --enable-quic --show-cert-link --enable-async-image-decoding --enable-checker-imaging --disable-module-scripts --disable-picture-in-picture --disable-heap-profiling --disable-md-feedback --disable-webvr --enable-threaded-scrolling --disable-cast-streaming-hw-encoding --disable-webgl-draft-extensions --disable-spelling-feedback-field-trial --disable-navigation-tracing --disable-javascript-harmony --disable-fast-unload --disable-experimental-canvas-features --data-reduction-proxy-lo-fi=disabled --disable-offer-upload-credit-cards --enable-clear-browsing-data-counters --enable-display-list-2d-canvas --disable-es3-apis --disable-input-ime-api --disable-offer-store-unmasked-wallet-cards --disable-password-generation --disable-push-api-background-mode --site-per-process --enable-site-settings --force-text-direction=ltr --force-ui-direction=ltr --enable-lcd-text --load-media-router-component-extension=0 --mark-non-secure-as=non-secure --reduced-referrer-granularity --secondary-ui-md --top-chrome-md=material --touch-events=disabled --wallet-service-use-sandbox=0 --enable-features=BackgroundVideoTrackOptimization,ExpensiveBackgroundTimerThrottling,FetchKeepaliveTimeoutSetting,FramebustingNeedsSameOriginOrUserGesture,HttpFormWarning,IdleTimeSpellChecking,MaterialDesignExtensions,MemoryAblation,NewAudioRenderingMixingStrategy,OffMainThreadFetch,SiteDetails,VibrateRequiresUserGesture,top-document-isolation --disable-features=NoStatePrefetch,CaptureThumbnailOnNavigatingAway,AccountConsistency,CaptureThumbnailOnLoadFinished,ClientLoFi,EnableUsernameCorrection,ExperimentalKeyboardLockUI,FeaturePolicy,GamepadExtensions,GenericSensor,IPH_DemoMode,ImageCaptureAPI,MaterialDesignIncognitoNTP,MediaRemoting,MidiManagerDynamicInstantiation,NewRemotePlaybackPipeline,OmniboxSpeculativeServiceWorkerStartOnQueryInput,OneGoogleBarOnLocalNtp,SafeSearchUrlReporting,ServiceWorkerNavigationPreload,SharedArrayBuffer,SpeculativeResourcePrefetching,TranslateLanguageByULP,TranslateUI2016Q2,UseGoogleLocalNtp,UseSuggestionsEvenIfFew,WebPayments,WebPaymentsModifiers,WebUSB,affiliation-based-matching,enable-manual-password-generation,enable-password-force-saving --disable-memory-coordinator --disable-webfonts-intervention-trigger --disable-speech-api --disable-speech-dispatcher --disable-component-update --disable-domain-reliability --component-updater=url-source=https://localhost --vmodule=device_event_log*=1 --v8-cache-options=code --disable-asm-webassembly --js-flags=--noexpose_wasm --disable-features=AsmJsToWebAssembly --disable-features=WebAssembly,WebAssemblyStreaming --enable-tcp-fastopen --enable-experimental-canvas-features --disable-databases --disable-renderer-accessibility --flag-switches-begin --flag-switches-end
Executable Path	/usr/lib/chromium-dev/chromium-dev
Profile Path	/home/user/.config/chromium-dev/Default

I'm on ArchLinux.

So, either protonmail now works without webassembly(unlikely), or webassembly isn't really disabled!

Even when the respective about:config option is set to false, the example at http://webassembly.org/demo/ runs "normal".

Even if the javascript is coming form origin server (not a CDN or CORS request), it can potentially be served through Fiddler AutoResponder if request is made to go through Fiddler. Many organizations use proxy for internal network which is a single point of failure in this case. How can this be mitigated? I guess JS is as vulnerable as WASM in that case? Thoughts?

nice work,
here is more.

ff:
javascript.options.asmjs false
javascript.options.wasm false
javascript.options.wasm_baselinejit false
javascript.options.wasm_ionjit false

all browsers:

["WebAssembly", "webAssembly", "mozWebAssembly", "webkitWebAssembly"]
.forEach((item) => {

//its elderly __proto__ reference would be nullified
try{
Object.keys(self[item]["__proto__"]).forEach((key) => { self[item]["__proto__"][key] = undefined; });
}catch(err){}

//its prototype reference would be nullified
try{
Object.keys(self[item]["prototype"]).forEach((key) => { self[item]["prototype"][key] = undefined; });
}catch(err){}

//reference would result with an answer - undefined.
try{
Object.defineProperty(self, item
 ,{enumerable   : true
  ,configurable : true
  ,set(){}
  ,get(){return undefined;}
  }
);
}catch(err){}

delete self[item];
});

feel free to use or distribute
(part of API-Killer-WebAssembly)

note: the javascript can be blocked if the website has serves CSP content security policy that blocks javascript.

all browsers:

you can write a web extension that modify the existing (or add) the CSP headers,
with 'wasm-eval' none;
with declarativeNetRequest and a pretty simple ruleset json file.
it will work regardless the website or javascript support.

all browsers:

"good old" uBlock network blocking rules:

*.wasm$important
/asm/*$important,script
/wasm/*$important,script

not 100% sure way,
but the combination of all those would help.

Couldn't you just invoke a JS command delete WebAssembly as a userscript?

Chrome Version 65.0.3325.181 (Official Build) (64-bit)

I then tried different WASM application, especially coinhive.com and other ads-crypto-miners: they all still work just fine.

I'm trying to protect myself without the need of using AdBlock for it. But Chrome is making it really hard.

I.e. under Content Setting in Chrome.

If so, it might be useful to add in the guidance.