The answer is YES !

I think in this way browser take from the job of operating systems, interfering with them.
Maybe a better alternative would be a common communication protocol based on JSON, XML or something like that, between a USB device and the application intermediated by the host operating system. And solving many issues, also. A web browser engine can understand natively that protocol with external peripherals.

Browser should not "see" and have complete access and exclusive to a particular device, only the OS. The OS impose security policy and rules, access rights and so on, over all applications. Problems solved

Thus their move to integrate and eventually merge Chrome OS and Android with Fuchsia

In fact....their new OS Fuchsia could be just that. As a matter of fact they are ditching Linux underneath. Part of the reason given is to get out from other patent encumbrances, Java and the GPL, but also they were tired of Linux not having a standard GUI such as GNOME is becoming and also Linux not having a decent scheduler.

https://www.theverge.com/2016/8/15/1...erating-system

https://arstechnica.com/gadgets/2017...a-wild-new-ui/

It's both.

In fact, I'm typing these very words from a Chrome OS device.

OMG, you just opened my eyes to a world of pain I hadn't imagined!

These two sound like absolute horror to me.

- USB configuration tools could have two possible outcomes:
1. the configuration is valid for the browser only -- I always wanted to rewind youtube videos with foot pedals, yay!
2. the browser accesses the OS's configuration files -- no thanks! I'd rather not have a super mario web game install advertisements and spyware as autostarting services on my system.
- Firmware updates via browser (and that requires root rights) are possibly the worst imaginable security nightmare. You can view and edit all your configuration files, but you don't know which unmentioned features the firmware you just got holds. What would prevent a phishing site from gifting me a new motherboard BIOS version when I didn't look closely enough whether it was the genuine OEM site.

EDIT: Okay,SpyroRyder was faster. Seems I forgot I had the tab open for a few hours.

I guess it's for cloud integration, there's no better explanation atm.

1. The foot pedal, once configured, acts autonomously as a standard USB HID keyboard. It retains the configuration and does not rely on being tethered to the software. Currently I use the vendor's software (or replay my USB traces of it) in a virtual machine with USB passthrough, which is basically what a browser together with WebUSB is.
2. It is only capable of replaying either a) a small string, less than 96 printable characters and only supporting shift (for uppercase) as a modifier, b) a single key chord (as many modifiers as desired, and one standard key), or c) one keypress which can be held by holding the pedal. It has no direct capacity to rewrite configuration files.

Please tell me how it is worse to give a website temporary access to a USB device, rather than downloading a proprietary native package and running it as root.
Either you have a risk of running a firmware installer off a third party site and getting malware; or you go to a malware site and the attacker has to devise an attack on your system which relies on compromising a specific USB device. In the second case, the malware author needs to 1. own the same device as you 2. be knowledgeable and willing enough to reverse-engineer the device 3. be lucky that it's a device which can be feasibly used to compromise your system 4. be willing to spend at least a few weeks of full time work potentially to compromise one version of one USB device which somebody *might* just plug in and trust their site with.

Sorry, that's bogus. I would much rather people expose their USB devices than their administrator accounts. It's not the tradeoff we wanted, it's the tradeoff we have.


I get why you would like to avoid using devices like these in the first place, but for the folks who want to or have to, it is great to have an option which offers at least marginally more security. There is not a single way in which this is a step backwards either for security or for convenience.

I say stop beating around the bush and implement an API that "securely" exposes the PINs of my cards to the web. /s

Then again, I still haven't understood why my browser can't display ads without running JS, so what do I know?

The second you said, see ChromeOS.

This stuff appears to allow javascript-based drivers and applications to control USB devices, which should allow them to be multiplatform easily.

Considering how break-prone are native drivers and control applications for most such things, I'm not opposed to this.