Truly opening new possibilities, since I wouldn't have been comfortable running some sketchy script or local binary.
[1] https://web.minidisc.wiki/ [2] https://github.com/pvvx/ATC_MiThermometer
I hope Mozilla can eventually stop playing their silly role in the security theater of “but what if our users are dumb” and actually deliver those "power-user" features that would allow me to uninstall Chrome for good. Oh, and also, --app= flag please.
It's not security theater. If you go to Chromium settings -> Site settings -> permissions, and expand "additional permissions", you will see a total of 26 different permissions, each gated by the same generic "you want to use this" popup.
Permission popup fatigue is quite real, and not a security theater. And that's on top of the usual questions of implementation complexity etc.
I can ship a cross-platform application that accesses a hardware device without having to deal with all the platform specifics, and with decent sandboxing of my driver.
I think one way to make it more "secure" against unwitting users would be to only support WebUSB for devices that have a WebUSB descriptor - would allow "origin" checking.
Even for local apps it's starting to become common to ship the app in an interpreted language where the interpreter is a browser instead of say python & qt.
Whether we like the idea of the browser having access to usb or not, I at least like even less the idea of being forced to install and use Chrome for the same reasons as the bad old days of being forced to use IE.
Orygin•2h ago
gear54rus•1h ago
lpcvoid•1h ago
zb3•1h ago
lpcvoid•1h ago
Maybe an about:config switch to enable it would be enough to stop casuals from pwning their peripherals.
barnabee•48m ago
Orygin•43m ago
How is not implementing a Draft spec, which may compromise security badly, breaking computing?
Overreacting much?
zb3•21m ago
However in this particular case, even the security argument doesn't hold, either I:
a) know that I want to use USB - in that case I'll switch browsers or download a native binary (even more unsafe), it's not that I'd decide that I no longer want to flash my smartphone
b) I don't understand what's happening but I follow arbitrary instructions anyway - WebUSB changes nothing.
troupo•21m ago
So maybe don't populate the browser with dozens of features requiring permission popups?
exe34•1h ago
"I know what I'm doing, and giving a random website access to my USB host is the right thing to do."
"I'm an idiot."
gear54rus•1h ago
Orygin•45m ago
limagnolia•1h ago
baby_souffle•1h ago
skydhash•6m ago
The main issue in the former case is that google is posing itself as a gatekeeper instead of following a repo model like Debian or FreeBSD. That’s wanting control over people’s device.
Allowing USB access is just asking to break the browser sandbox, by equating the browser with the operating system.
yjftsjthsd-h•31m ago
Retr0id•1h ago
skydhash•1h ago
Retr0id•1h ago
Lerc•1h ago
Hope every time you want to interface with a USB device.
monegator•1h ago
(For the rare occurences that our customer is using 7 or earlier, we tell them to use zadig and be done with it.)
PunchyHamster•1h ago
scottbez1•1h ago
monegator•1h ago
but really most devices you want to interface to via webusb are CDC and DFU so.. problem solved?
Retr0id•1h ago
monegator•1h ago
Anyway OS 2.0 descriptors are a custom USB descriptor that basically tells the device to use WinUSB as the driver. The burden then is in the application that will have to implement the read/writes to the endpoints instead of using higher level functions provided by the custom driver.
If you ever developed software with libUSB, using WinUSB on the windows side makes things super easy for cross platform development, and you don't have to go through all the pain to have a signed driver. Win-win in my book.
pjc50•1h ago
monegator•1h ago
1313ed01•1h ago
rafram•1h ago
kristofferR•54m ago
fhn•29m ago
jazzyjackson•5m ago
Curious what your floor is for 'trustworthy', a company with a US headquarters? Personally I feel sketched out by any silicon not made in Sweden or Japan, so, pretty much all of it.
tjoff•16m ago
Right now that isn't the case and I can't remember last the time I had to uninstall untrustworthy native drivers.
A lot to lose, very little to gain?
zb3•1h ago
barnabee•46m ago
troupo•22m ago
1. Permission popups fatigue
2. Usually users select the apps they install, most sites are ephemeral. And yes, even with apps, especially on Android, people click through permission dialogs without looking because they are often too broad and confusing. With expected results such as exfiltrating user data.