Mozilla and Apple Consider Chromes New Api As A threat

Google released Chrome 89 in beta with even more APIs for interacting with hardware, many of which Mozilla and Apple consider dangerous.

One of the new features in Chrome for interacting with hardware is the WebHID (Human Interface Devices) API, which allows developers to write JavaScript codes to interact with devices like gamepads and keyboards using not standard APIs like the Gamepad API, but logic specially created for these devices.

“The inability to access atypical or unusual HID devices is literally painful, for example, when it comes to support for gamepads. The input and output of gamepads is not properly standardized, and web browsers often require custom logic for individual devices. This approach is unstable and leads to poor support for a long list of old and non-standard devices, ” said the Google Chromium team.

Chrome 89 also supports Web NFC (Near Field Communications) technology, which allows web applications to read and write NFC tags. These applications include badge and barcode scanners, applications that redirect users to additional content, etc.

Another feature, Web Serial API, provides direct communication between web applications and devices with serial ports. The feature is an add-on to the WebUSB API, which has been supported since Chrome 61, but is not available in Firefox and Safari for security reasons.

Already implemented in Chrome for Android (since Chrome 75), Web Sharing APIs have now been added to Windows and Chrome OS. The idea is to replace the small buttons on websites that allow you to share content on Twitter, Facebook, etc., with a single Share button that invokes the operating system's sharing function.

This feature also allows you to exchange files such as images or text documents (the range of supported file extensions is limited). Firefox doesn't support web sharing, but Microsoft Edge (version 81 and later) and Safari (version 12.1 and later on macOS, version 12.2 on iOS) do.

Chrome for Android has also added native support for decoding AVIF images, which is already present in the desktop version of Chrome. In addition, some CSS tweaks have been introduced, and JavaScript V8 has been updated to version 8.9 with "top-level await", which improves the import process for JavaScript modules.

Chrome's expanded device support significantly narrows the gap between web apps and native apps, but also increases the potential attack surface. For example, Mozilla's current position on the WebUSB API is that it is dangerous.

“Since many USB devices are not designed to handle potentially harmful USB interactions, and because these devices can have a significant impact on the computer they are connected to, we believe the security risks associated with making a USB device available over the Internet are too high which leads in  exposing users data , "Mozilla said.

Previous Post Next Post