Google is working on a new Unrestricted WebUSB feature, which allows trusted isolated web apps to bypass security restrictions in the WebUSB API.
WebUSB is a JavaScript API that allows web applications to access local USB devices on a computer. As part of the WebUSB specification, there are certain interface classes that are protected from being accessed via web applications to prevent malicious scripts from accessing potentially sensitive data.
The list of protected interface classes are audio, HID (Human Interface Device), mass storage, smart card, video, audio/video Devices, and wireless controller.
In addition, the WebUSB specification includes a block list of specific USB devices that cannot be accessed by the API, such as YubiKeys, Google Titan keys, and Feitian security keys, which are used for multi-factor authentication.
Google is now testing an “Unrestricted WebUSB” feature that allows Isolated Web Apps to access these restricted devices and interfaces.
“The WebUSB specification defines a blocklist of vulnerable devices and a table of protected interfaces classes that are blocked from access through WebUSB,” Google noted in a Chrome status update.
“With this feature, Isolated Web Apps with permission to access the “usb-unrestricted” Permission Policy feature will be allowed to access blocklisted devices and protected interface classes.”
Isolated web apps are applications not hosted on live web servers but packaged into Web Bundles, signed by their developer, and distributed to end-users. They are commonly created for companies to use in-house.
To make this work, these web apps must have permission to use the “usb-unrestricted” feature.
When an app with this permission attempts to access a USB device, the system first checks if it is on the blocklist of vulnerable devices. If it is, the device is normally removed from the access list.
However, this restriction is bypassed for web apps with the “usb-unrestricted” permission.
The system also checks whether the device is on the app’s list of allowed devices. If it is not, access is denied.
Additionally, the system will check if the accessed interface is marked as protected. If it is, and the app does not have the “usb-unrestricted” permission, access is denied.
Google’s proposed feature enables trusted isolated web apps to access a broader range of USB devices, allowing for greater functionality in a trusted setting.
Google says it plans to ship it for testing in Chome 128, which should be released in August 2024.