Google is introducing a new Unrestricted WebUSB feature that will allow certain web applications to bypass security limitations previously set in place.
The WebUSB API enables web apps to interact with local USB devices connected to a computer. However, for security reasons, some device classes like audio, video, and human interface devices (HID) were restricted from access.
Unrestricted WebUSB loosens these restrictions for trusted isolated web apps. This means these apps can access a wider range of USB devices, potentially enabling more advanced functionalities. Google emphasizes that only trusted apps will be granted this permission, signified by the “usb-unrestricted” permission. The system will also perform checks to ensure the accessed device interface isn’t on the protected list.
“The WebUSB specification defines a blocklist of vulnerable devices and a table of protected interfaces classes that are blocked from access through WebUSB,” Google noted in a Chrome status update.
“With this feature, Isolated Web Apps with permission to access the “usb-unrestricted” Permission Policy feature will be allowed to access blocklisted devices and protected interface classes.”
This feature is slated for testing in Chrome version 128, expected for release in August 2024. While it opens doors for greater functionality, it’s important to remember that trusting a web app with unrestricted USB access comes with an inherent security risk. Users should exercise caution and only grant this permission to web apps from reputable sources.
