stevespringett / disable-webassembly Goto Github PK
View Code? Open in Web Editor NEWBrowser hacks to disable WebAssembly (WASM)
Browser hacks to disable WebAssembly (WASM)
I'm running chromium like this (this is one line):
/home/user/bin/oldbin/chro:103+ /usr/lib/chromium-dev/chromium-dev --ssl-version-min=tls1 --disk-cache-dir=/tmp/chromiumcache --disable-sync-preferences --disable-plugins --cipher-suite-blacklist=0x0001,0x0002,0x0004,0x0005,0x0017,0x0018,0xc002,0xc007,0xc00c,0xc011,0xc016,0xff80,0xff81,0xff82,0xff83 '' --enable-one-copy --disable-zero-copy --disk-cache-dir=/tmp/chromiumcache --disable-sync-preferences --disable-plugins --cipher-suite-blacklist=0x0001,0x0002,0x0004,0x0005,0x0017,0x0018,0xc002,0xc007,0xc00c,0xc011,0xc016,0xff80,0xff81,0xff82,0xff83 --disable-component-extensions-with-background-pages --disable-background-networking --disable-webgl --disable-internal-flash --disable-bundled-ppapi-flash --disable-flash-3d --disable-flash-stage3d --disable-default-apps --ssl-version-min=tls1 --disallow-autofill-sync-credential --disable-device-discovery-notifications --disable-media-source --disable-ntp-other-sessions-menu --disable-prefixed-encrypted-media --disable-touch-adjustment --disable-views-rect-based-targeting --disable-account-consistency --enable-async-dns --enable-deferred-image-decoding --enable-download-resumption --enable-drop-sync-credential --disable-material-design-ntp --disable-new-avatar-menu --disable-new-profile-management --enable-offline-auto-reload-visible-only --disable-offline-auto-reload --show-saved-copy=primary --enable-panels --disable-password-generation --enable-permissions-bubbles --disable-extensions-on-chrome-urls --disable-pinch-virtual-viewport --disable-pinch --disable-save-password-bubble --enable-session-crashed-bubble --disable-settings-window --disable-smooth-scrolling --disable-sync-app-list --disable-sync-synced-notifications --disable-touch-editing --enable-web-based-signin --enable-sandbox-logging --log-gpu-control-list-decisions --log-level=2 --enable-logging --enable-logging=stderr --enable-harfbuzz-rendertext --enable-impl-side-painting --enable-lcd-text --enable-native-gpu-memory-buffers --ui-prioritize-in-gpu-process --canvas-msaa-sample-count=0 --gpu-rasterization-msaa-sample-count=0 --disable-accelerated-video-decode --enable-gpu-compositing --enable-gpu-vsync --disable-gpu-early-init --disable-gpu-memory-buffer-compositor-resources --enable-gpu-memory-buffer-video-frames --num-raster-threads=4 --force-gpu-rasterization --enable-accelerated-2d-canvas --use-gl=desktop --disable-origin-chip --disable-overlay-scrollbar --remember-cert-error-decisions=-1 --enable-search-button-in-omnibox-always --disable-spelling-auto-correct --tab-capture-downscale-quality=fast --tab-capture-upscale-quality=fast --touch-events=disabled --wallet-service-use-sandbox=0 --show-component-extension-options --disable-hyperlink-auditing --no-pings --enable-vertical-tabs --disable-audio-support-for-desktop-share --disable-nostate-prefetch --disable-es3-apis --enable-quic --show-cert-link --enable-async-image-decoding --enable-checker-imaging --disable-module-scripts --disable-picture-in-picture --disable-heap-profiling --disable-md-feedback --disable-webvr --enable-threaded-scrolling --disable-cast-streaming-hw-encoding --disable-webgl-draft-extensions --disable-spelling-feedback-field-trial --disable-navigation-tracing --disable-javascript-harmony --disable-fast-unload --disable-experimental-canvas-features --data-reduction-proxy-lo-fi=disabled --disable-offer-upload-credit-cards --enable-clear-browsing-data-counters --enable-display-list-2d-canvas --disable-es3-apis --disable-input-ime-api --disable-offer-store-unmasked-wallet-cards --disable-password-generation --disable-push-api-background-mode --site-per-process --enable-site-settings --force-text-direction=ltr --force-ui-direction=ltr --enable-lcd-text --load-media-router-component-extension=0 --mark-non-secure-as=non-secure --reduced-referrer-granularity --secondary-ui-md --top-chrome-md=material --touch-events=disabled --wallet-service-use-sandbox=0 --enable-features=BackgroundVideoTrackOptimization,ExpensiveBackgroundTimerThrottling,FetchKeepaliveTimeoutSetting,FramebustingNeedsSameOriginOrUserGesture,HttpFormWarning,IdleTimeSpellChecking,MaterialDesignExtensions,MemoryAblation,NewAudioRenderingMixingStrategy,OffMainThreadFetch,SiteDetails,VibrateRequiresUserGesture,top-document-isolation --disable-features=NoStatePrefetch,CaptureThumbnailOnNavigatingAway,AccountConsistency,CaptureThumbnailOnLoadFinished,ClientLoFi,EnableUsernameCorrection,ExperimentalKeyboardLockUI,FeaturePolicy,GamepadExtensions,GenericSensor,IPH_DemoMode,ImageCaptureAPI,MaterialDesignIncognitoNTP,MediaRemoting,MidiManagerDynamicInstantiation,NewRemotePlaybackPipeline,OmniboxSpeculativeServiceWorkerStartOnQueryInput,OneGoogleBarOnLocalNtp,SafeSearchUrlReporting,ServiceWorkerNavigationPreload,SharedArrayBuffer,SpeculativeResourcePrefetching,TranslateLanguageByULP,TranslateUI2016Q2,UseGoogleLocalNtp,UseSuggestionsEvenIfFew,WebPayments,WebPaymentsModifiers,WebUSB,affiliation-based-matching,enable-manual-password-generation,enable-password-force-saving --disable-memory-coordinator --disable-webfonts-intervention-trigger --disable-speech-api --disable-speech-dispatcher --disable-component-update --disable-domain-reliability --component-updater=url-source=https://localhost '--vmodule=device_event_log*=1' --v8-cache-options=code --disable-asm-webassembly --js-flags=--noexpose_wasm --disable-features=AsmJsToWebAssembly --disable-features=WebAssembly,WebAssemblyStreaming --enable-tcp-fastopen --enable-experimental-canvas-features --disable-databases --disable-renderer-accessibility --js-flags=--noexpose_wasm
and I can still log into protonmail and read emails for example.
I remember not being able to log in before when web assembly was indeed disabled.
Here's chrome://version
:
Chromium 76.0.3809.12 (Official Build) (64-bit)
Revision 220b19a666554bdcac56dff9ffd44c300842c933-refs/branch-heads/3809@{#83}
OS Linux
JavaScript V8 7.6.303.4
Flash (Disabled)
User Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.12 Safari/537.36
Command Line /usr/lib/chromium-dev/chromium-dev --ssl-version-min=tls1 --disk-cache-dir=/tmp/chromiumcache --disable-sync-preferences --disable-plugins --cipher-suite-blacklist=0x0001,0x0002,0x0004,0x0005,0x0017,0x0018,0xc002,0xc007,0xc00c,0xc011,0xc016,0xff80,0xff81,0xff82,0xff83 --enable-one-copy --disable-zero-copy --disk-cache-dir=/tmp/chromiumcache --disable-sync-preferences --disable-plugins --cipher-suite-blacklist=0x0001,0x0002,0x0004,0x0005,0x0017,0x0018,0xc002,0xc007,0xc00c,0xc011,0xc016,0xff80,0xff81,0xff82,0xff83 --disable-component-extensions-with-background-pages --disable-background-networking --disable-webgl --disable-internal-flash --disable-bundled-ppapi-flash --disable-flash-3d --disable-flash-stage3d --disable-default-apps --ssl-version-min=tls1 --disallow-autofill-sync-credential --disable-device-discovery-notifications --disable-media-source --disable-ntp-other-sessions-menu --disable-prefixed-encrypted-media --disable-touch-adjustment --disable-views-rect-based-targeting --disable-account-consistency --enable-async-dns --enable-deferred-image-decoding --enable-download-resumption --enable-drop-sync-credential --disable-material-design-ntp --disable-new-avatar-menu --disable-new-profile-management --enable-offline-auto-reload-visible-only --disable-offline-auto-reload --show-saved-copy=primary --enable-panels --disable-password-generation --enable-permissions-bubbles --disable-extensions-on-chrome-urls --disable-pinch-virtual-viewport --disable-pinch --disable-save-password-bubble --enable-session-crashed-bubble --disable-settings-window --disable-smooth-scrolling --disable-sync-app-list --disable-sync-synced-notifications --disable-touch-editing --enable-web-based-signin --enable-sandbox-logging --log-gpu-control-list-decisions --log-level=2 --enable-logging --enable-logging=stderr --enable-harfbuzz-rendertext --enable-impl-side-painting --enable-lcd-text --enable-native-gpu-memory-buffers --ui-prioritize-in-gpu-process --canvas-msaa-sample-count=0 --gpu-rasterization-msaa-sample-count=0 --disable-accelerated-video-decode --enable-gpu-compositing --enable-gpu-vsync --disable-gpu-early-init --disable-gpu-memory-buffer-compositor-resources --enable-gpu-memory-buffer-video-frames --num-raster-threads=4 --force-gpu-rasterization --enable-accelerated-2d-canvas --use-gl=desktop --disable-origin-chip --disable-overlay-scrollbar --remember-cert-error-decisions=-1 --enable-search-button-in-omnibox-always --disable-spelling-auto-correct --tab-capture-downscale-quality=fast --tab-capture-upscale-quality=fast --touch-events=disabled --wallet-service-use-sandbox=0 --show-component-extension-options --disable-hyperlink-auditing --no-pings --enable-vertical-tabs --disable-audio-support-for-desktop-share --disable-nostate-prefetch --disable-es3-apis --enable-quic --show-cert-link --enable-async-image-decoding --enable-checker-imaging --disable-module-scripts --disable-picture-in-picture --disable-heap-profiling --disable-md-feedback --disable-webvr --enable-threaded-scrolling --disable-cast-streaming-hw-encoding --disable-webgl-draft-extensions --disable-spelling-feedback-field-trial --disable-navigation-tracing --disable-javascript-harmony --disable-fast-unload --disable-experimental-canvas-features --data-reduction-proxy-lo-fi=disabled --disable-offer-upload-credit-cards --enable-clear-browsing-data-counters --enable-display-list-2d-canvas --disable-es3-apis --disable-input-ime-api --disable-offer-store-unmasked-wallet-cards --disable-password-generation --disable-push-api-background-mode --site-per-process --enable-site-settings --force-text-direction=ltr --force-ui-direction=ltr --enable-lcd-text --load-media-router-component-extension=0 --mark-non-secure-as=non-secure --reduced-referrer-granularity --secondary-ui-md --top-chrome-md=material --touch-events=disabled --wallet-service-use-sandbox=0 --enable-features=BackgroundVideoTrackOptimization,ExpensiveBackgroundTimerThrottling,FetchKeepaliveTimeoutSetting,FramebustingNeedsSameOriginOrUserGesture,HttpFormWarning,IdleTimeSpellChecking,MaterialDesignExtensions,MemoryAblation,NewAudioRenderingMixingStrategy,OffMainThreadFetch,SiteDetails,VibrateRequiresUserGesture,top-document-isolation --disable-features=NoStatePrefetch,CaptureThumbnailOnNavigatingAway,AccountConsistency,CaptureThumbnailOnLoadFinished,ClientLoFi,EnableUsernameCorrection,ExperimentalKeyboardLockUI,FeaturePolicy,GamepadExtensions,GenericSensor,IPH_DemoMode,ImageCaptureAPI,MaterialDesignIncognitoNTP,MediaRemoting,MidiManagerDynamicInstantiation,NewRemotePlaybackPipeline,OmniboxSpeculativeServiceWorkerStartOnQueryInput,OneGoogleBarOnLocalNtp,SafeSearchUrlReporting,ServiceWorkerNavigationPreload,SharedArrayBuffer,SpeculativeResourcePrefetching,TranslateLanguageByULP,TranslateUI2016Q2,UseGoogleLocalNtp,UseSuggestionsEvenIfFew,WebPayments,WebPaymentsModifiers,WebUSB,affiliation-based-matching,enable-manual-password-generation,enable-password-force-saving --disable-memory-coordinator --disable-webfonts-intervention-trigger --disable-speech-api --disable-speech-dispatcher --disable-component-update --disable-domain-reliability --component-updater=url-source=https://localhost --vmodule=device_event_log*=1 --v8-cache-options=code --disable-asm-webassembly --js-flags=--noexpose_wasm --disable-features=AsmJsToWebAssembly --disable-features=WebAssembly,WebAssemblyStreaming --enable-tcp-fastopen --enable-experimental-canvas-features --disable-databases --disable-renderer-accessibility --flag-switches-begin --flag-switches-end
Executable Path /usr/lib/chromium-dev/chromium-dev
Profile Path /home/user/.config/chromium-dev/Default
I'm on ArchLinux.
So, either protonmail now works without webassembly(unlikely), or webassembly isn't really disabled!
Even when the respective about:config option is set to false, the example at http://webassembly.org/demo/ runs "normal".
Even if the javascript is coming form origin server (not a CDN or CORS request), it can potentially be served through Fiddler AutoResponder if request is made to go through Fiddler. Many organizations use proxy for internal network which is a single point of failure in this case. How can this be mitigated? I guess JS is as vulnerable as WASM in that case? Thoughts?
nice work,
here is more.
ff:
javascript.options.asmjs
false
javascript.options.wasm
false
javascript.options.wasm_baselinejit
false
javascript.options.wasm_ionjit
false
all browsers:
["WebAssembly", "webAssembly", "mozWebAssembly", "webkitWebAssembly"]
.forEach((item) => {
//its elderly __proto__ reference would be nullified
try{
Object.keys(self[item]["__proto__"]).forEach((key) => { self[item]["__proto__"][key] = undefined; });
}catch(err){}
//its prototype reference would be nullified
try{
Object.keys(self[item]["prototype"]).forEach((key) => { self[item]["prototype"][key] = undefined; });
}catch(err){}
//reference would result with an answer - undefined.
try{
Object.defineProperty(self, item
,{enumerable : true
,configurable : true
,set(){}
,get(){return undefined;}
}
);
}catch(err){}
delete self[item];
});
feel free to use or distribute
(part of API-Killer-WebAssembly
)
note: the javascript can be blocked if the website has serves CSP content security policy that blocks javascript.
all browsers:
you can write a web extension that modify the existing (or add) the CSP
headers,
with 'wasm-eval' none;
with declarativeNetRequest
and a pretty simple ruleset json file.
it will work regardless the website or javascript support.
all browsers:
"good old" uBlock network blocking rules:
*.wasm$important
/asm/*$important,script
/wasm/*$important,script
not 100% sure way,
but the combination of all those would help.
Couldn't you just invoke a JS command delete WebAssembly
as a userscript?
I.e. under Content Setting in Chrome.
If so, it might be useful to add in the guidance.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.