Full disclosure, I have only minimal understanding of web assembly, other than using C functions inside a web browser. I run wordpress in a read only docker container, what better security could WCGI bring?

Here are the main differences with the Docker strategy:

* If you want it to be usable, you will need to ship it with some mechanism that allows running CGI over http (kind of Apache or Nginx), so your container would be bigger than the Wasmer package

* Regarding security: Docker containers needs to rely on hardware virtualization to run securely (via KVM or simlar), aside of a virtualization on the systemcall layer (which depends on the crun layer that you use)

Because of that, Docker containers will have the downside of: being able to run only in one chipset/OS, they will be bigger-sized and they would be slower to start up (even if you use state of the art for running them, aka Firecracker, you still get 250ms vs < 1ms with Wasmer)

> you will need to ship it with some mechanism that allows running CGI over http (kind of Apache or Nginx)

Is wasmer stable and secure enough to be exposed to abuse of the entire Internet?

> your container would be bigger than the Wasmer package

The first Google hit for "docker php nginx" is https://hub.docker.com/r/trafex/php-nginx - they claim their Docker image is 40 MB compressed, whereas Wasmer for amd64 (latest from https://github.com/wasmerio/wasmer/releases) is a 80 MB tar.gz (unpacks to 300 MB tar). Even with larger images, like the `wordpress` image (200 MB), the size is neglible.

> Because of that, Docker containers will have the downside of: being able to run only in one chipset/OS

You probably don’t need to care about architectures other than amd64 and arm64. Both are supported by the trafex/php-nginx and wordpress Docker images.

> (even if you use state of the art for running them, aka Firecracker, you still get 250ms vs < 1ms with Wasmer)

Starting a fresh VM for every request doesn’t make sense, so this difference wouldn’t matter in real life.

> whereas Wasmer for amd64 is a 80 MB tar.gz

Wasmer ships everything by default, including 3 compilers (LLVM is the big one!), which adds most of the size. However, the wasmer runtime in headless mode weights only about 2 megabytes.

Even more, even if you include only one compiler instead of 3 (just singlepass) it would be in the order of 5-10Mb.

Stay tuned, because if you are in macOS/iOS you will see even smaller binary sizes!

Im going to ask a very ignorant question ;;

Is it possible to spin-up a 'container' or whatever youre calling the VM of a site, for each individual user? So if you have a high security req on data accessible by computers, you spin up an individual container of said site that only serves that user, and is destroyed on exit... so that whatever the user does cannot affect others?

ELI5?

Another aspect to consider is portability. WCGI, built on open standards like WebAssembly & CGI, allows for easier adoption of security improvements/updates across different platforms & environments. Definitely worth exploring alongside read-only Docker containers!