Comment by cpeterso
3 years ago
Fingerprinting of WebMIDI devices is already happening in the wild. It was discovered because Firefox prompted for WebMIDI access on some random e-commerce websites, whereas Chrome silently allowed websites to access MIDI devices.
There's so little reason to allow a browser to access USB.
There are many legitimate reasons for webapps to do so, like game controller for games (or programming usb connected robots), sensors, or like in this case, connect a synthesizer to it, but little reason to allow random websites to have that.
I just would wish, there was a more clear distinction between them.
I think the connection from the browser vendors to the ad companies are not helping with that.
Definitely another feature that should be put behind a whitelist.
Whitelists/allowlists are tricky, because they create a bias towards existing, larger players. If you're creating some new gadget, you now have to convince the browser makers to allow it through. And the browser makers need to come up with some way to have a level of confidence that requesters are not just trojan horse manufacturers. Or so lax on security that a rogue website can use your USB connection to reprogram the device's firmware to emulate an ethernet device that will MitM your network.
You can let the user accept new entries, but then you're back having to give random nontechnical people enough context and information to make the correct choice when a random website causes the permission dialog to appear. Empirically, that doesn't go too well.