I recently flashed GrapheneOS on a Pixel for a friend. I was very surprised that you can do this entire process from the browser using WebUSB - the only downside being that it required me to launch Chromium.
Orygin 44 minutes ago [-]
No thanks. I'll accept it in my browser when they fix the security implications this raises, and when the Spec is no longer in draft.
Retr0id 35 minutes ago [-]
The security implications of not having WebUSB are having to install untrustworthy native drivers every time you want to interface with a USB device.
1313ed01 23 minutes ago [-]
Sounds like something that could have a standalone usb-driver-container or special chromium fork for the 0.00001% of users that need it instead of bloating every browser with yet another niche API and the inevitable security holes it will bring.
rafram 21 minutes ago [-]
On macOS, I think I've installed device drivers exactly once in the last decade, and they were for a weird printer.
PunchyHamster 26 minutes ago [-]
You can have userspace drivers for usb devices in Linux
skydhash 28 minutes ago [-]
That sounds like a Windows problem.
Retr0id 25 minutes ago [-]
I'm not familiar with the Windows platform but although you can have userspace USB drivers on linux, you still need to be able to run code that can talk to the sysfs interface.
Lerc 24 minutes ago [-]
The Linux problem is more
Hope every time you want to interface with a USB device.
monegator 21 minutes ago [-]
Not really, as long as the firmware developers used OS 2.0 descriptors
(For the rare occurences that our customer is using 7 or earlier, we tell them to use zadig and be done with it.)
monegator 23 minutes ago [-]
you do know microsoft OS 2.0 descriptors are a thing, right?
or that you can force the unknown device to use WinUSB
but really most devices you want to interface to via webusb are CDC and DFU so.. problem solved?
Retr0id 19 minutes ago [-]
I'm unfamiliar with the Windows platform but that sounds like something that still requires executing code locally.
monegator 13 minutes ago [-]
Not sure what you mean.
Anyway OS 2.0 descriptors are a custom USB descriptor that basically tells the device to use WinUSB as the driver. The burden then is in the application that will have to implement the read/writes to the endpoints instead of using higher level functions provided by the custom driver.
If you ever developed software with libUSB, using WinUSB on the windows side makes things super easy for cross platform development, and you don't have to go through all the pain to have a signed driver. Win-win in my book.
yes, you can always use some nasty protocol over HID for your devices. But really most of what i do is one or multiple bulk endpoints so i can achieve full bandwidth (downloading firmware, streaming data, ...)
OS2.0 made it possible to do it without having to write and sign a driver
zb3 30 minutes ago [-]
What are the security implications this raises that downloading native programs (needed for example to flash my smartphone) doesn't raise?
gear54rus 42 minutes ago [-]
And I'll just fire up a chrome instance which I specifically keep for when my daily driver firefox decides to spazz out and not implement basics in 2026 :'(
lpcvoid 33 minutes ago [-]
How do you make sure that technically illiterate people don't just click away the requestDevice() popup? IMHO a browser offering device level USB access is a security nightmare and there is no way this can ever be made safe and convenient at the same time.
limagnolia 9 minutes ago [-]
Isn't that the same excuse Gooogle is using to lrevent folks from installing what they want on Android phones?
gear54rus 10 minutes ago [-]
You simply don't. This quest of saving idiots from themselves is not gaining anyone anything and meanwhile other people get more and more useless restrictions.
exe34 26 minutes ago [-]
You can ask them to type one of the following sentences:
"I know what I'm doing, and giving a random website access to my USB host is the right thing to do."
"I'm an idiot."
zb3 28 minutes ago [-]
They can click everything away, so maybe educate them or buy an ios device for your relatives instead of breaking computing for everyone else.
lpcvoid 25 minutes ago [-]
Fair, but remember that we are the <~1% of people who even know what webusb is. I'm not sure I share your view on this.
Maybe an about:config switch to enable it would be enough to stop casuals from pwning their peripherals.
afavour 39 minutes ago [-]
Looks to be a great proof of concept. No, running a standalone executable alongside the browser is not the way you'd want to do WebUSB. But it's great to see someone working on it.
Rendered at 14:15:00 GMT+0000 (Coordinated Universal Time) with Vercel.
Hope every time you want to interface with a USB device.
(For the rare occurences that our customer is using 7 or earlier, we tell them to use zadig and be done with it.)
but really most devices you want to interface to via webusb are CDC and DFU so.. problem solved?
Anyway OS 2.0 descriptors are a custom USB descriptor that basically tells the device to use WinUSB as the driver. The burden then is in the application that will have to implement the read/writes to the endpoints instead of using higher level functions provided by the custom driver.
If you ever developed software with libUSB, using WinUSB on the windows side makes things super easy for cross platform development, and you don't have to go through all the pain to have a signed driver. Win-win in my book.
"I know what I'm doing, and giving a random website access to my USB host is the right thing to do."
"I'm an idiot."
Maybe an about:config switch to enable it would be enough to stop casuals from pwning their peripherals.