I have been following this issue for a couple months now, and it has finally reached the stable channel on both desktop and Android. Brave now has a JITless mode toggle in chrome://flags that also enables DrumBrake, the WASM interpreter for chromium.
Vanadium and Trivalent both already enable this by default, so I feel it is appropriate that it be recommended that Brave users also enable it. It being behind a flag instead of a proper UI element is a shame, so at least mentioning it on the site would be appreciated, if that’s a concern.
From what I can tell brave://flags/#brave-v8-jitless-mode makes the chrome://settings/content/v8 toggle fully disable JIT. You should experience less breakage than in Chrome with JIT disabled (which can be accomplished through cmd line flags), for example, though since Brave now supports JITless WASM with DrumBrake.
Security-wise, disabling JIT means 50% less code responsible for eval / running untrusted (in some cases, adversarial) code (Interp being the other 50%).
Historically, roughly half the security bugs in v8 (Chrome’s / Brave’s JavaScript engine) have been due to attacks on the JIT compiler. Coding up a hardened JIT compiler is a tall order, and so, in the meanwhile disabling it (at the cost of upto 1.5x performance) is considered prudent.
@ignoramous Thank you for the insight! I’ve noticed that Cromite recently added a similar feature, so I was curious.
It definitely sounds like it’s worth trying out.
Btw:
If you’re using Cromite, there’s a similar option available in Site Settings > JavaScript Optimization and Security > Toggle “Speed up sites with Cromite’s V8 engine but make Cromite slightly less resistant to attacks.”
That’s for mobile. I believe the desktop version has a similar setting, though I’m not sure it’s in the same place.
Edit: while this option does reduce your attack surface, it is different from the “JIT-less” mode being discussed. Brave has this option as well as JIT-less mode.
Yep the current V8 optimizer toggle isn’t a fully JITless mode option. This Github issue I think can shine some more light on that.
Essentially, the toggle that Brave, Chrome and every other chromium-based browser has only disables one component used for JIT compilation. Microsoft found that disabling just that part had minimal performance impact, while still improving a bit of attack surface.
So, Google implemented that for any user, but the best option for security would be to fully disable JIT and use DrumBrake only. This is what Edge has with its Super Duper Secure Mode, and what Trivalent and Vanadium do by default.
And now Brave finally has that option too, just not in the most ideal place. Turning the #brave-v8-jitless-mode option on changes the V8 optimizer toggle to skip the Liftoff only mode, and go straight to DrumBrake only. I would prefer if Brave implemented a proper UI that allowed for both tiers to be selected in the V8 optimizer settings, but this is still a good start. I hope that cleared some things up
I’m really into this feature. I had to add a couple of exceptions for trusted sites, but other than that it works perfectly. I can do without Proton’s Passkey if it won’t work with this, but I’m keeping the option. I don’t see any slowdown on my beefy PC.
Not sure if this is a bug but at least from what I can observe, Brave’s JITless mode is nothing like how Edge implemented it. Everything that requires WebAssembly is breaking. My password manager extension (1Password) is also not working properly with the JITless flag enabled.
I think this one part is mistaken or mistyped (or I’m just misunderstanding something), at least Vanadium does not support running WebAssembly without JIT enabled, so I don’t think it uses DrumBrake.
Oops, I should have done research before posting, it seems they added it a few months ago and since last I checked the status.
If the extension you installed doesn’t work, it may be because it requires JavaScript Just-In-Time Compilation (JIT). WebAssembly without JIT is enabled on secureblue through an interpreter called DrumBrake, and this should help with extension compatibility.
To re-enable JavaScript JIT for an extension, visit chrome://extensions, under the extension with the issues, go Details -> Site Settings, then scroll to JavaScript optimization & security and flip to allow. If the extension continues to not work, try reinstalling the extension.
Thanks for this. I got Proton Pass’s Passkeys to work when I did this and also added the site to V8 exceptions. So you have to trust the site, and I’ve only done it here for now.
Does anyone know if this (and also just disabling the V8 optimizer in the settings) improves anything on GrapheneOS, where the whole app already has “WebView JIT” disabled?
And on desktop (i use Windows): is it really worth it to enable V8 Jitless mode? Because now the Bitwarden extension needs “JavaScript optimization & security” enabled to function, but this extension is by far the most important thing in the browser to protect. So does this somehow pose a bigger/worse attack surface in the end? I’d rather take my chances with zero exploits and whatnot than weaken the protection of the Bitwarden extension
(sorry if those are stupid questions made under wrong assumptions; I’m not really familiar with those things)
