Comment by toraway

The user has to choose a device themselves. The only enabled button when a WebUSB prompt appears is "Cancel" until they make a choice themselves.

A confused user will likely hit the only available button to "Cancel" which ends the process without granting any permissions.

By design it's a more conservatively designed approval prompt compared to e.g. accessing a camera or microphone where users get presented with a equally weighted "yes/no" decision.

https://imgur.com/a/5glTxvh

Also, the website can't enumerate connected devices until access is granted individually. The API call to request a device allows filtering by pre-defined vendor IDs, but with no visibility into what's connected. Meaning an attacker has to choose between:

1. showing a list of a half dozen options, which will confuse the user and likely make them cancel, or 2. narrowly target it hoping for a single result to improve odds they blindly choose it, which increases odds no devices will appear at all.

And since they can't enumerate devices until granted access, that prevents a targeted attack with e.g. a red flashing "WARNING: Your computer is infected! Pick 'USB 10/100/1000 LAN' and click 'Connect' to erase viruses immediately!"