> Just because one is sandboxed and the other is not, does not mean that it's inherently more secure.
Actually, that is actually what it means. Security is the reason for the sandbox and is an essential property of the native client. Sure, bugs could exist that defeat the protections but that can just as easily be said for any code.
ActiveX is very different -- by design, there are no protections.
However, I'm not sure I understand why the code has to be native -- A think Google could have built a C-compatible VM machine language that would be easier to validate and then just JIT that in the browser. They already need a patched GCC to compile the native code for the client. And a VM JIT could be ported to other platforms besides x86. Why does it have to be native?
A JIT could handle SIMD if those instructions are included in the VM. I'm not thinking about a high-level VM like Java but something considerably more low-level. A machine language with the most important features of any modern CPU but without the ambiguities and trappings of any particular architecture. In NaCl, they're already restricting the code to a subset of x86 instructions, so it's not far off.
And it doesn't even have to be JIT -- it could just be a compiler that translates from the verifiable VM code directly into x86 before anything is run.
All architectures have opcodes for moving data, addition, multiplication, bit shifting, etc. They also all have a stack and registers. While the details are different (number of registers, for example), in general they all work the same.
I agree with you, and I've never heard an argument that decisively positioned native code past the bounds of what's likely to be achieved with JITs. Native also seems like a bad bet on the future of computation.
Actually, that is actually what it means. Security is the reason for the sandbox and is an essential property of the native client. Sure, bugs could exist that defeat the protections but that can just as easily be said for any code.
ActiveX is very different -- by design, there are no protections.
However, I'm not sure I understand why the code has to be native -- A think Google could have built a C-compatible VM machine language that would be easier to validate and then just JIT that in the browser. They already need a patched GCC to compile the native code for the client. And a VM JIT could be ported to other platforms besides x86. Why does it have to be native?