Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Developers Create API For Direct USB Access Via Web Pages (softpedia.com)

Posted by msmash on from the improved-connectivity dept.

An anonymous reader writes: Two Google developers have uploaded an unofficial (for now) draft to the World Wide Web Consortium's Web Incubator Community Group (W3C WICG) that describes a method of interconnecting USB-capable devices to Web pages. The API, called WebUSB, allows device manufacturers to provide special "registry and landing pages" where they can host JavaScript SDKs for their USB-capable devices. Site owners can load these SDKs as iframes inside their websites, and allow a site to access and relay commands (via the iframe to the browser's WebUSB API) to the actual device. To protect privacy and security, the WebUSB API also comes with a CORS-like system that prompts users for access to their devices to avoid abuse and Web-based fingerprinting. The system is also backward compatible with devices created before the standard's approval (if it gets approved).

3 of 131 comments (clear)

  1. What could possibly go wrong? by Anonymous Coward · · Score: 2, Interesting

    How long until the "security" is bypassed and websites can arbitrarily access any and all USB devices on the system?

  2. Skeptical... by Junta · · Score: 3, Interesting

    It seems the goal is to empower developers to skip the pesky wait for actually standardizing around 'novel' device types by giving the browser pretty open ended access to USB devices...

    As a rule, I do not believe OSes themselves allow open ended access to any device by an unprivileged user process (e.g. a browser process), USB or otherwise. So it would seem the OS model for hardware would be in the way. Incidentally, this problem should be taken as a huge red flag as why this may be an ill-conceived idea.

    I would worry that should this strategy be encouraged, we would see devices that *only* are usable within a web browser. This is the first time I can recall any managed runtime environment trying to implement an independent driver model of the underlying OS. This strikes me as particularly bad form.

    In general, Javascript can't even access arbitrary files owned by the user. This is a good thing. This is flying pretty firmly in the face of Javascript in browser being a domain specific language that has *some* security by virtue of explicitly not being allowed to do everything to a system.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  3. Re:We all know this is unwise. by Vairon · · Score: 3, Interesting

    Can you site a source to validate this claim?