Hacker News new | past | comments | ask | show | jobs | submit login

Java plugins were mainly useful to do naughty things (for instance in a previous life I used a Java plugin to load and call into a native DLL via JNI which spawned a Win32/D3D9 game client inside a browser by attaching as a child window of the Java plugin canvas). Fun stuff but not really a good idea from a security point of view ;)

And of course this cannot be replicated with a Java plugin running in a (browser) WASM engine.




To me, this is one of the many ingenious things about TeaVM's architecture. By using the preferred code execution mechanisms of browser vendors (WASM and ECMAScript, plus Web APIs) to deliver Java code, it ensures they can't block or shut down this delivery mechanism. They would have to cut off their noses to spite their faces.

Furthermore, since the browser vendors never want browser code to have public security issues, they work hard to find and fix problems in their sandboxes and runtimes. This of course benefits TeaVM apps as well, since they play in those same sandboxes, and gives them a level playing field with other web apps in perpetuity.

Plugin-based applets were only safe as long as Sun had clout and the browser vendors were investing less in security than the Java team.


Really? What stops someone from dropping WASM support?


True, WASM adoption is still low and could feasibly be removed, but TeaVM lets you target both JavaScript and WASM GC backends, so you are future proofed either way.


All code can be abused for naughty things, including crypto miners in modern Web APIs.


True, but are people turning off ECMAScript/WASM in their browsers to avoid this? As an app developer, I want to know if my app will keep running. In the Java Applet days, at some point the security scares became frequent enough to cause articles like "Turn off Java except on websites where you are actively using it". Once your users have to find and toggle a setting to make your app work, your audience size drops significantly.

I don't see such fears around ECMAScript/WASM. Since the dominant players have a vested interest in users feeling safe leaving those technologies turned on for all websites, they'll keep investing to maintain that safety (and the marketing of that safety).

This is a massive insurance policy for building a TeaVM app -- the foundational web technologies it builds on are receiving incredible investments from industry heavyweights. It's not just security that is maintained, new Web APIs are regularly developed too. Want to use USB from your web app? No need to wait for Oracle to roll out a Java API for it -- browser vendors have made a new API and you can call it from you TeaVM app right away.


Good luck turning those things off in modern Web, unless you plan to have a custom browser.


That's why content-blockers exist.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: