close
close

Google Chrome to allow the Isolated Web app to access sensitive USB devices

Posted on by darion

Google is working on a new Unrestricted WebUSB feature that allows trusted isolated web apps to bypass security restrictions in the WebUSB API.

WebUSB is a JavaScript API that allows web applications to access local USB devices on your computer. As part of the WebUSB specification, there are certain interface classes that are protected from access via web applications to prevent malicious scripts from accessing potentially sensitive data.


The list of protected interface classes includes: audio, HID (Human Interface Device), storage, smart card, video, audio/video device, and wireless controller.

Additionally, the WebUSB specification includes a list of blocked USB devices that cannot be accessed via the API, such as YubiKeys, Google Titan Keys, and Feitian Security Keys, which are used for multi-factor authentication.

Google is currently testing an “Unrestricted WebUSB” feature that allows isolated web apps to access these restricted devices and interfaces.

“The WebUSB specification defines a list of blocked vulnerable devices and a table of classes of protected interfaces to which access via WebUSB is blocked,” Google noted in a Chrome status update.

“With this feature, isolated web applications with permissions to access the ‘USB unrestricted’ permission policy feature will be able to access devices that are on the Blocked and Protected Interface Classes list.”

Isolated web applications are applications that are not hosted on live web servers, but packaged into web packages, signed by their developer, and distributed to end users. They are commonly created for companies for internal use.

For this to work, web apps must have permission to use the “usb-unrestricted” feature.

When an application with this permission tries to access a USB device, the system first checks whether it is on the blacklist of vulnerable devices. If so, the device is usually removed from the access list.

However, this restriction is bypassed by web applications with the “usb-unrestricted” permission.

The system also checks if the device is on the app’s allowed devices list. If it is not, access will be denied.

Additionally, the system will check if the available interface is marked as protected. If so, and the application does not have the “usb-unrestricted” permission, access is denied.

Google’s feature allows trusted isolated web applications to access a wider range of USB devices, allowing for greater functionality in a trusted environment.

Google says it plans to make the feature available for testing in the Chome 128 browser, which is expected to be released in August 2024.