Google is developing a new feature called Unrestricted WebUSB, which will allow trusted isolated web programs to escape security constraints in the WebUSB API.
WebUSB is a JavaScript API that enables online applications to access local USB devices on a computer. Certain interface classes in the WebUSB specification are prevented from being accessed via web applications, preventing malicious scripts from obtaining potentially sensitive data.
The protected interface classes include audio, HID (Human Interface Device), mass storage, smart cards, video, audio/video devices, and wireless controllers.
The WebUSB specification also includes a block list of specific USB devices that the API cannot access, such as YubiKeys, Google Titan keys, and Feitian security keys, which are used for multi-factor authentication.
Google is currently exploring a “Unrestricted WebUSB” functionality that enables Isolated Web Apps to access restricted devices and interfaces.
“The WebUSB specification defines a blocklist of vulnerable devices and a table of protected interfaces classes that are blocked from access through WebUSB,” Google stated in a Chrome status update.
“With this feature, Isolated Web Apps with permission to access the “usb-unrestricted” Permission Policy feature will be allowed to access blocklisted devices and protected interface classes.”
Isolated web apps are applications that are not hosted on live web servers, but rather bundled into Web Bundles, signed by the developer, and distributed to end users. They are typically designed for internal usage by businesses.
To make this work, these web apps must have access to the “usb-unrestricted” capability.
When an app with this permission seeks to access a USB device, the system first determines whether it is on the vulnerable device blocklist. If so, the device is often deleted from the access list.
However, web apps with the “usb-unrestricted” permission bypass this restriction.
The system also determines whether the device is in the app’s list of permitted devices. If not, then access is denied.
Furthermore, the system will determine whether the accessed interface is marked as protected. If it is, but the program does not have the “usb-unrestricted” permission, access is refused.
Google’s proposed feature allows trusted isolated web apps to access a wider range of USB devices, increasing functionality in a trusted environment.
Google intends to ship it for testing in Chome 128, which will be launched in August 2024.