Google to allow trusted web apps to access USB devices

Google is working to allow trusted isolated web applications to have unfettered access through the WebUSB API, a JavaScript API that authenticates web applications to interact with local USB devices on a computer.

Through a Chrome status update, the company said it is testing the “Unrestricted WebUSB” feature to enable these trusted web applications to safely access the restricted local devices.

“The WebUSB specification defines a blocklist of vulnerable devices and a table of protected interfaces classes that are blocked from access through WebUSB,” Google said in the update. “With this feature, Isolated Web Apps with permission to access the ‘USB-unrestricted’ Permission Policy feature will be allowed to access blocklisted devices and protected interface classes.”

The implementation status of this feature is shown to be “in developer trial” and “behind a flag” in the update.

Unblocking sensitive access

According to the WebUSB specification, some interface classes are restricted from access by web applications to safeguard against malicious scripts potentially obtaining sensitive data. These classes include audio, human interface devices (HID), mass storage, smart cards, video, audio or video devices, and wireless controllers.

With the new feature, Chrome is going to allow a set of trusted isolated web applications to access these blocked classes along with a few specific USB devices, such as YubiKeys, Google Titan keys, and Feitian security keys, used for multi-factor authentication.

Isolated Web applications (IWAs) are defined as applications which, rather than being hosted on a live web server and fetched over HTTPS, are packaged into bundles signed by their developers and distributed to users through various methods including platform-specific installation formats like APK, MSI, or DMG, raw singed bundles, through an operating system, browser or third-party “app store,” and installed via enterprise system configuration management infrastructure.

IWAs can be more secure

Google’s attempt at this feature probably draws from the fact that IWAs are comparatively secure as they limit the interaction and sharing of data between different applications and systems. The benefits of operating an isolated web application include compromise containment, controlled access and permission, reduced dependency risks, and protection from cross-site scripting attacks.

Post this update, IWAs with permission to use the “USB unrestricted” feature will be able to access a USB device normally “restricted” under the “vulnerable devices” blocklist. The feature will presumably allow customizing the types of USB devices accessible even when “USB unrestricted” is on.

According to the update, Google aims to ship a beta version of the feature through Chrome 128, expected to be released in August.