Google is working on a new feature called Unrestricted WebUSB that allows trusted sandboxed web apps to bypass security restrictions in the WebUSB API.
WebUSB is a JavaScript API that allows web applications to access local USB devices on a computer. The WebUSB specification includes certain classes of interfaces that are safeguarded from web applications in order to prevent malicious scripts from accessing potentially sensitive data.
The list of protected interface classes includes HID (Human Interface Device), Mass Storage, Smart Card, Video, Audio/Video, and Wireless Controller. Additionally, the WebUSB specification includes a blacklist of certain USB devices that cannot be protected from API access, such as YubiKeys, Google Titan keys, and Feitian security keys used for multi-factor authentication. The company also noted that the WebUSB specification defines a blacklist of vulnerable devices and a table of classes of protected interfaces that are blocked from accessing via WebUSB.
So, when an application with the permission tries to access a USB device, the system first checks whether it is on the blacklist of vulnerable devices. If so, the device is usually removed from the access list. However, this restriction will be bypassed by web applications with the "usb-unrestricted" permission. The system will also check whether the device is on the list of allowed devices for the application. Additionally, it will make sure that the accessible interface is marked as protected.
The end result is that the feature allows trusted sandboxed web applications to access a wider range of USB devices, providing greater functionality.
It will be tested in Chrome 128, which will be released in August 2024.
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!
Advertisеment