Google Chrome to Enable Isolated Web Apps to Access Sensitive USB Devices

Google is developing a new feature called "Unrestricted WebUSB" that allows trusted isolated web apps to bypass security restrictions within the WebUSB API.

WebUSB is a JavaScript API that lets web applications interact with local USB devices on a computer. To prevent malicious access to sensitive data, certain interface classes—like audio, HID (Human Interface Device), mass storage, smart card, video, audio/video devices, and wireless controllers—are protected and cannot be accessed by web applications.

Additionally, the WebUSB specification includes a block list of specific USB devices, such as YubiKeys, Google Titan keys, and Feitian security keys used for multi-factor authentication, which are restricted from access via the API.

Google is currently testing the "Unrestricted WebUSB" feature, which allows isolated web apps to access these otherwise restricted devices and interfaces.

According to a Chrome status update, "The WebUSB specification defines a blocklist of vulnerable devices and a table of protected interface classes that are blocked from access through WebUSB. With this feature, isolated web apps with permission to access the 'usb-unrestricted' Permission Policy feature will be allowed to access blocklisted devices and protected interface classes."

Isolated web apps are applications packaged into Web Bundles, signed by their developers, and distributed to end-users, typically for in-house company use, rather than being hosted on live web servers.

For an app to use this feature, it must have permission to utilize the "usb-unrestricted" capability. When such an app tries to access a USB device, the system first checks if the device is on the blocklist of vulnerable devices. If it is, the device is usually removed from the access list, but this restriction is bypassed for apps with "usb-unrestricted" permission.

The system also verifies if the device is on the app's list of allowed devices; if not, access is denied. Furthermore, if the accessed interface is marked as protected and the app lacks "usb-unrestricted" permission, access is also denied.

This new feature aims to enable trusted isolated web apps to access a wider range of USB devices, enhancing functionality within a secure environment.

Google plans to introduce this feature for testing in Chrome 128, set to release in August 2024.