upvote
ok, let me expand on why I don't like it...

It's making a niche rarely done use case safer at the cost of making the common case (browsing the web) less safe.

And yes, I am fully aware that I can not press the button that give random sites access... But the issue is it increases the attack surface and is yet another thing that I could get tricked by on a bad day.

The OS should really be able to run code like a firmware flash utility in a sandbox that only has access to one USB device... But instead of improving the OS we keep adding features to the browser which increases the attack surface.

I have a very long list of things I am unhappy about the OS allowing just any app to do, especially app installers/uninstallers should not be a thing.

reply
If you're worried about that, you can just disable WebUSB in the chrome settings. Any website will be denied access to that API from now on. And what's even better: you can selectively enable WebUSB for some websites.

That's what I do and that's what I suggest for any security-conscious user to do. Just explore Chromium settings, there are dozens of various APIs that could be disabled. Do you need Web MIDI? I don't. Disable.

Won't work as a default setting for average user for sure, but if you consider yourself an advanced user, do that.

reply
Flashing was already solved by UF2, where the device-to-flash temporarily pretends to be a USB storage device. Giving raw USB access to to random websites for that is massively overkill.

I could understand it if you were trying to do realtime configuration of or interaction with some device like a printer or a Stream Deck, but something as trivial as firmware flashing?

reply
It's pretty common to pick a few config parameters, click, and flash a firmware that does the things you want.

Yes, you could make the configuration into a separate uf2 object that overwrites other bytes, but that's yucky.

The access is explicitly per device. Even for plain flashing, it's safer and simpler than to download and shuffle random files.

reply
trivial for you maybe but many people don't know how and where to find the right firmware for their specific device, and can be in environments where the UF2 volume isn't as obvious (e.g. using a phone)
reply