Except the sandbox is a huge target already, and breaking it means any website can now access and mess with your usb devices. If you can develop an exploit for Chrome's WebUSB system, you potentially have millions upon millions of targets available.
Downloading an arbitrary executable can be made safe (via multiple avenues: trust, anti virus software, audits, artifact signing, reproducible builds, etc) and once the software is vetted, it exposes (or it should at least) little to no attack vector during daily use.
When the alternative is downloading arbitrary executables I find the browser sandbox to be a reassurance.
Except the sandbox is a huge target already, and breaking it means any website can now access and mess with your usb devices. If you can develop an exploit for Chrome's WebUSB system, you potentially have millions upon millions of targets available.
Downloading an arbitrary executable can be made safe (via multiple avenues: trust, anti virus software, audits, artifact signing, reproducible builds, etc) and once the software is vetted, it exposes (or it should at least) little to no attack vector during daily use.
> trust, anti virus software, audits, artifact signing, reproducible builds, etc
My mom has six weather apps on her phone.
Buddy if your "sandbox" lets code inside it replace your keyboard's firmware you don't have a sandbox.
Programming your keyboard is actually a common case! See usevia.app
1 reply →
Then don't install the extension
It is enabled without extension in Chrome browsers. This is a common complain about Firefox is that they don't implement the Google draft spec.
It will probably come natively one day in Firefox, and we should push back against such attack vectors.