WebUSB Extension for Firefox
github.com247 points by tuananh a day ago
247 points by tuananh a day ago
WebUSB as an extension is the right approach. The security concern isn't the API itself — it's the default-on expectation that Chrome created. Firefox's model of "opt-in via extension" gives power users what they need without expanding the attack surface for everyone else.
I've used WebUSB for flashing keyboard firmware and it's genuinely better than downloading random executables from GitHub.
The permission model is more transparent than a native app that silently gets full USB access.The whole point of WebUSB is to create a tool that works with USB device, without all the risks and issues of installing external programs.
If I need to install a program, browser extension, just to work with a given tool, I probably would just prefer an ordinary program without browser at all.
Chrome approach is correct. It allows user to work with USB devices without exposing computer to the risks of installing a host software.
You have to balance the this ease of use with increasing potential attack and fingerprinting surface. Correct approach is something in the middle - a separate off-by-default setting or recommended official extension.
Chrome has the option to turn off APIs by default. I do it for my installs. I think that disabling that option for everyone is not a good approach as average user will never figure out how to enable it, making that technology effectively dead, so we get back to installing host software.
Sometimes security and usability contradict with each other.
...in your opinion. the firefox team disagrees.
They already killed Firefox. It has 2% marketshare. Next to something called "Samsung Internet" LoL. They're not in position to force technology usage.
Everything should be an extension for a browser. AI, telemetry, and other universally hated features. Let the user choose. No one has to worry if a toggle will always be respected in code, or if an update will undo it. Beholden to the same security isolations other extensions are forced to abide by. It's just the right way to do things.
I was rather hostile towards WebUSB/Bluetooth for ideological reasons, until I came across some cool apps like a climbing board control app (Bluetooth) or a netMD (to transfer to minidisks, via USB), which I would have found overkill to install a "hard App" for. I'm glad that there's an option for Firefox at last.
Same here, was skeptical at first but then I used a web app that supports WebUSB to configure my mechanical keyboard and it lets you flash the firmware right there from the browser and that’s pretty nice and convenient.
Even before WebUSB, I was using ZSA Oryx to create my keyboard layout for my first ZSA keyboard. But back then I had to download the file and then flash it using a dedicated program on the computer. Now with WebUSB I could both create the layout for my new ZSA keyboard there, and flash it from there without any additional software other than a Chromium based desktop web browser.
The whole dance has been made significantly easier by the adoption of UF2 flashing by large parts of the custom keyboard hobby: the device temporarily pretends to be a USB storage device, so you can now download the file and drag&drop it to your device.
Still not quite WebUSB-easy, but a massive improvement over needing dedicated programming software!
Firmware updates with UF2 over the emulated mass storage aren't bad, I agree.
But config updates that way still suck. The best implementation I've seen will present you with an empty drive with a README explaining how to drop a uf2 + an editable config file that contains all options with comments.
That's definitely workable for us tech people, but it absolutely sucks for the vast majority of users (including us tech people). Just think about having to learn the syntax, or simple things like picking a color or mapping keys on a keyboard.
IMHO Mozilla should have at least adopted WebSerial. It wouldn't give the entire USB freedom, but it has fewer privacy and security concerns and devices would have make it work. But now it's too late, WebUSB has been adopted widely and Mozilla will eventually have to adopt it or perish.
is anyone making backups of these webapps? my keyboard uses one for everything, I've been meaning to learn how to host a local copy for when the website inevitably gets shut down
Oryx is proprietary, but vial[1] is open source and has similar functionality. It still uses web technology though, so you either need a chromium based browser, or electron to use it (or maybe Firefox with this extension).
Ugh, I hate this trend. I'm using ZMK on a wireless split Corne and I have to clone the ZMK config repo, edit the config, push to GitHub, use some GH Action to compile the firmware, download it, unpack it, and then flash it. WTF happened? This is a terrible workflow, and I was not able to get this done locally after spending an entire day on it. Why can't this shit just compile on my machine? How about I edit a text file...and then compile it without all the bullshit, like installing Docker, about three or four language-specific package managers which install things not vetted by my distro's maintainers and probably run some bash scripts fetched with curl? And honestly I'm not really comfortable running firmware compiled by the Microsoft, the company known for their stellar software quality and security. Really though, I'm surprised, this was my first time being exposed to this kind of insanity. House of fucking cards.
I'm not even criticizing ZMK, btw, this is just an unbelievably obnoxious workflow. Please, nobody do this. The anger is short-circuiting my brain.
If you use nix, building locally is as easy as running a single command once it's setup with https://github.com/lilyinstarlight/zmk-nix
That's the exact scenario I first found it useful as well, earlier this month. It's especially nice as someone used to there not being Linux options for stuff like this.
This, more than ideology or security, is one of the main reasons I don't want WebUSB: fear that many hardware vendors will only support updates and configuration through a web app, that isn't guaranteed to remain online forever, may not be available to download and run locally, and may require installing otherwise undesirable firmware updates to maintain compatibility with available versions of the web app.
I have many expensive USB devices (cameras, musical instruments, audio and MIDI interfaces, a spectrometer) that are still useful despite being over a decade old; most will remain useful until the hardware fails. It'd be a shame if they required a long-lost web app to configure or control.
There is a host of software that only runs on Windows which can now run on any os with webusb. It's a glorious improvement
> I was rather hostile towards WebUSB/Bluetooth for ideological reasons, until I came across some cool apps […] which I would have found overkill to install a "hard App" for.
So, basically, you got seduced to loosen up your ideology a bit. You’re not alone. I likely would, too. What I would like to see instead of WebUSB is something akin to SOAP (https://en.wikipedia.org/wiki/SOAP), but for USB, where device manufacturers provide a downloadable file that describes the interface of their device, and tools, including third party ones, can generate apps from those descriptions.
I think that would give us an easy way to talk to USB devices without having to rely on the forever presence and good intentions of a third party web service.
One thing that it wouldn’t allow is for a remote server to talk to a local USB device. That may be unfortunate for a few use cases, but I think overall that’s for the better.
> I would have found overkill to install a "hard App" for
Hope you enjoy that same sentiment is 20 years when the website to control/manage your device doesn't exist/was bought out/whatever.
How is it any different with downloadable firmware?
That you can keep the firmware, the program to install it and a snapshot of the whole operating system in your drawer, if you want?
WebUSB is the main way to flash GrapheneOS onto a phone.
You can even do it from another Graphene phone!
One that’s been using Attestation, for bonus points.
Another possible use-case: allowing your peripherals to talk to cloud gaming computers - like, a nice HOTAS setup for flight simulator on GeforceNow.
It's fine as an extension, not so much as a default-enabled feature. We got the best outcome here.
Edit: Wait, no we didn't. Chrome added WebUSB support after all. Wtf I'm disabling that
> not so much as a default-enabled feature.
The browser opens a popup asking you if you want to grant access to a specific device for a specific website, it's not like random websites can just run adb commands on your phone
Yeah but still, I'd want that to only remotely be a thing. Like require enabling a developer setting for it.
That's a great way to kill adoption of a feature. But what has WebUSB done to you?
Chrome has had WebUSB since 2017. I really appreciate it for one-off configurators and those types of tools.
Well it's a stand-alone program too, not just an extension. I kinda wish extensions could act as full programs too but computers need better sandboxing.
I used it to side-load Android apps onto my Quest 3 so I could try Chromium on it
WebUSB is so great.
I can ship a cross-platform application that accesses a hardware device without having to deal with all the platform specifics, and with decent sandboxing of my driver.
I think one way to make it more "secure" against unwitting users would be to only support WebUSB for devices that have a WebUSB descriptor - would allow "origin" checking.
> I can ship a cross-platform application
And you can also un-ship it whenever you want, leaving users with unusable devices they paid money for.
That was always the case. Lots of “flasher” applications have had web dependencies where they’d download the latest firmware to a temp directory before flashing.
Yep, I’ve bought a few thermal printers recently and webusb support (marketed as Chromebook support) was a major deciding factor. Thermal printers aren’t well supported by built in printer drivers, so it’s nice to not have to install some questionable driver software with access to my whole computer and instead have a sandboxed chrome extension with enumerated permissions. I’ve also poked around the extensions’ minified js source out of curiosity and as a basic security audit
It was also nice trying out some RTL-SDR apps as soon as I got it without having to figure out how to build and install the Debian packages from source first.
It drives me nuts every time I have to switch from Firefox to Chrome to use webusb or webserial.
Let's please not (or at most, add a scary warning for non-tagged devices), as this would break the use case for at least all retrocomputing.
Aren't most retrocomputing USB devices running open source firmware? Adding a descriptor "WebUSB supported" is a few commits and a firmware update away.
that's not going to work for use cases like the https://webmd.pro where you're interfacing with hardware from other manufacturers
Definitely not most MiniDisc players. I doubt mine even has updatable firmware!
This probably applies to many older (or even newer) USB devices as well.
This brings back bad memories of the old ActiveX "safe for scripting" mechanism.
Yep. FlipperZero, Android, now some random chinese handheld radio - just some of the things I didn't have to install some crap unsandboxed app to flash in the last 3 months. Absolutely revolutionary.
This right here is the reason I like it and web bluetooth too, with them 'just working' regardless of platform I'm using. Miss me with some unsigned questionable app that only runs on windows as admin.
I recently flashed GrapheneOS on a Pixel for a friend. I was very surprised that you can do this entire process from the browser using WebUSB - the only downside being that it required me to launch Chromium.
You can flash GrapheneOS on a Pixel from another pixel, no pc required at all. I've done it several times, this is what sold me on the utility of WebUSB. You can use GOS' own distribution of chromium, Vanadium, if you have a GOS device and you want to avoid Chrome.
Is there something specific in that process that required WebUSB vs just normal USB? Sounds like phone makers could have done this since forever if they wanted to, what makes WebUSB particularly useful for this?
WebUSB is particularly useful for this, because it allows you to just open a website. You don't need to install an app.
It also convenient for developer, as distributing apps nowadays is a lot of hoops to jump over. Website is just a website.
Also website is cross-platform by definition, as long as API is supported across platforms and WebUSB API is supported on all platforms except iOS.
Native android apps can talk to regular USB devices, if granted the necessary permissions. But it's exposed through a Java api (and Kotlin I suppose, these days), which is fine, but it means you need to write your client logic twice. If you target the web, you can do it once.
(Yes, you could try to bulid some common interface, libusb-style, but I think you'll have a bad time with minor behavioural differences, especially around permissions. libusb itself does ostensibly support Android but there are several caveats: https://github.com/libusb/libusb/wiki/Android#does-libusb-su... )
So you can't just use fastboot in termux, with https://github.com/nohajc/termux-adb, then?
It uses libusb, so yes, modulo aforementioned documented caveats (as well as the undocumented ones)
Cross-platform compatibility comes to mind. WebUSB is available on macOS, Windows, and Android; a native Android app would pose a bootstrapping problem for a probably not insubstantial fraction of all potential users.
Web USB and Web Bluetooth are amazing. I've used the former for the excellent Web MiniDisc [1], and the latter to flash custom firmware [2] on cheap Xiaomi Bluetooth LE thermometer/hygrometer devices that Home Assistant can pick up.
Truly opening new possibilities, since I wouldn't have been comfortable running some sketchy script or local binary.
[1] https://web.minidisc.wiki/ [2] https://github.com/pvvx/ATC_MiThermometer
> Web USB and Web Bluetooth are amazing.
Comments like this scare me. Things look amazing when people with benevolent intentions are making interesting things, but as soon as someone with malevolent intentions does something that becomes the reason we can't have nice things people will start asking if this is something we should have actually done.
I just have no faith in humanity, and do not understand why we think this is a good idea to give a browser this much access to local system resources.
There isn't much to fear here. Web Bluetooth has been around nearly ten years now and nothing monumental has sprung forth from it. It is wonderfully convenient to have at your fingertips, especially in the ChromeOS world, but it's not gonna turn everyone's devices into Flipper Zero targets.
> Comments like this scare me.
Sorry to hear that. I thought this was a safe space for hackers to express enthusiasm about pushing their own hardware and software further (and in this case even in a comparatively safe way).
> I just have no faith in humanity, and do not understand why we think this is a good idea to give a browser this much access to local system resources.
The browser already has all that access, it's just further granting it to web apps, and on a page-by-page, device-by-device, explicitly user opt-in basis at that.
And as I've mentioned, the alternative here is to install a potentially untrusted native application that gets the same access and so much more.
If that's what the Github page tells users to do, many of them will just do it without thinking twice. Is that better?
> I thought this was a safe space for hackers to express enthusiasm about pushing their own hardware and software further (and in this case even in a comparatively safe way).
Nothing is preventing said experimentation nor discussion of it. I am merely offering my more conservative views of the situation as a contrast to the echo chamber gungho nature of the experimentation. Just because we can doesn't mean we should is often left out of the conversation. At some point, the net negative that comes from the use of something "cool" is never contemplated by those creating the something "cool" simply because they would never fathom using the "cool" for "uncool" purposes. Sadly, someone else will and weaponize it in an uncontrollable manner. If the creators can't think of how it can happen, it is vital that those not so involved in the creation speak up when there are potential issues.
I wouldn't describe it as "conservative" but as "pro-native-apps and anti-web-apps", which seems irrational in this day and age where "native apps" means platform lock-in by monopolies, less sandboxing and user-control than on the web, much more gatekeeping and control over published binaries, and these days the web app is usually a more private/secure alternative to the native app (which also bundles a marketing SDK, now, and fingerprints you invisibly via iCloud Keychain, tracks you with various identifiers, and more).
If native platforms removed USB or Bluetooth, the "control over my own hardware" crowd would flip a table. I just wish they also understood the benefits of the web compared to native. The Chrome/Project Fugu team's dream of making the web platform as powerful as native platforms is the correct one from a user freedom standpoint, or at bare minimum a "user choice" standpoint.
I'm not saying pro-native-apps outright even if that might be what it gets boiled down as. I'm saying I do not trust anything that runs in a browser. I actively block as much nonsense as possible. I do not trust devs that write code to run in browsers. There's a lot of devs getting taken out in the blast radius, but the only way to be sure is to take off and nuke it from orbit. There are devs out there hell bent on writing malicious code. I am willing to take a stand and refuse to use things when the net result is negative. I do not use social media. I do not shop at Walmart. These are the decisions I'm willing to live with even if it makes life slightly less "easy" because I've made a moral decision to not open myself up to nonsense just to later ask "what happened...".
Sure, you do what works for you. But why advocate for even more limits to how other people use their computers? One person's nonsense is another person's treasured hobby.
Yes, bad actors exist, but why concede every single nice thing to them?
again, net negative is being glossed over. whatever good and nice things there might be, if it is being used more for negative purposes, you need to consider is it worth it at all or was it rushed and needing more thought before the PoC was pushed to prod