Comment by dns_snek

WebUSB is a giant gaping hole in the browser sandbox. Innocent use cases are really nice, I've used WebUSB to flash GrapheneOS on my device, but the possibilities for users to shoot themselves in the foot with nefarious website are almost endless.

Consider the fact that Chromium has to specifically blacklist Yubikey and other known WebAuthn vendor IDs, otherwise any website could talk to your Yubikey pretending to be a browser and bypass your 2FA on third party domains.

I'm conflicted on WebUSB because it's convenient but on the balance I think it's too dangerous to expose to the general public. I don't know how it could be made safer without sacrificing its utility and convenience.