And so the cycle turns ...
Every few years someone comes up with a 'new' way of running code in the browser.
Microsoft did it with ActiveX, which was just a way of running unverified native code from a browser with no sandboxing at all -- what could possibly go wrong?
Sun did it with Java, which allowed running interpreted bytecode 'applets' (with limited API access to the native environment) in a sandbox in a browser ... which was certainly a better approach, but the sandbox provided by the runtime was invariably leaky, in practice (partly through incompetence, and partly in the name of speed), and the security was deplorable. JIT-compiling the code and running it natively made it faster, but had further impact on the security.
The current trend is to use Javascript (or, recently, something that compiles to Javascript) which may be interpreted by the browser but is more usually JIT-compiled and run natively. This is regarded by many as being better than Java, but actually sucks less only because the quality of implementation is a little higher. Javascript itself is a nightmare of a language ("strongly untyped") that's barely as readable as Perl, but has become popular because it's the only game in Browser-town (though the things that compile to Javascript do mitigate its underlying nastiness to some extent and relegate Javascript to the status of "the assembly language of the web").
Now we are being told that the next turn of the cycle will actually be called "WebAssembly", and that it will allow us to write web apps in our favourite languages (so, no Javascript, at least) and compile them to the bytecode for an abstract virtual machine hosted by the browser (isn't that what Java was supposed to do?) As with Java, the browser will then either interpret the bytecode or JIT-compile it and run it natively on the host -- in some sort of sandbox if we're lucky. Maybe it will done well and the security won't be awful, that was never achieved with Java, though.
On the one hand I really do hope that this is going to turn out to be Java done properly and not Javascript done even worse ... but on the other hand despair that this is just going to encourage more and more code running in the browser for no fathomable reason.
I wonder what the next turn of the cycle will bring ...?