Integrity check when loading WASM

[matthiasgeihs]

We are loading a WASM file via the generated init and initSync functions.

Question:
Is there any integrated integrity check on the provided WASM file? Does the loader check that the expected WASM is provided? (e.g., verify against target hash)

[daxpedda]

wasm-bindgen does nothing in this regard, no.

[matthiasgeihs]

I’m wondering: has this been considered? What are the reasons for doing it / not doing it?

[daxpedda]

It has not.
I wouldn't know what exactly the benefits would be.

For safety, TCP, encryption, compression algorithm and the like already do their own checksum calculations.

For security, if an attacker can modify the delivered Wasm module, they can modify the checksum as well, so I don't see a big benefit here. Apart from the fact that if somebody breaks your HTTPS all hell breaks loose already, the Wasm module would be your least worry.

[matthiasgeihs]

You are assuming that javascript glue code and WASM come from the same source. They may not. Consider the case where the client glue code is distributed ahead of time via a trusted package manager. Due to size constraints, the WASM, however, is only loaded at runtime from a potentially untrusted source. In this case, it would be healthy to check the integrity of the WASM before loading it. Wouldn't it?

[daxpedda]

Yes, the assumption here was of course is that you are able to trust your source.
If you can't trust your source, something like that might make sense indeed.

Though I don't expect this to make any sense in wasm-bindgen, this can easily be done externally.

[matthiasgeihs]

Yep, that's what I thought. Thanks for explaining also the context!