Google Testing New “Unrestricted Webusb” Function to Enhance Web Application Access to USB Devices
Google is currently testing a new function called “Unrestricted Webusb” that aims to enable trusted web applications to bypass restrictions placed on the Webusb API. Webusb is a JavaScript API that facilitates interaction with local USB devices on a computer. According to the Webusb specification, certain classes of interfaces are protected to prevent malicious scripts from accessing potentially sensitive data.
Secure classes of interfaces include audio, Human Interface Device (HID), drives, smart cards, video, audio/video devices, and wireless controllers. Additionally, specific USB devices such as Yubikey, Google Titan, and Feitian security keys used for multifactor authentication are included in the block list of devices that cannot be accessed through the Webusb API.
To address these limitations, Google is developing the Unrestricted Webusb function, which will allow isolated web applications to access these restricted devices and interface classes. This function will expand the capabilities of web applications and enhance their functionality in a trusted environment.
On the Chrome Platform Status platform, Google noted, “The Specification of WebUSB specifies a block list of protected interface classes that are blocked from access through Webusb.”
Isolated web applications, which are not hosted on real web servers but are packed in Web Bundles signed by their developers, will be able to utilize the Unrestricted Webusb function. These applications are commonly used internally by companies and require permission to use “USB-UNRESTRICTED” to leverage the new function.
When an application with the “USB-UNRESTRICTED” permission attempts to access a USB device, the system checks if the device is on the block list of vulnerable devices. If the device is listed, it is typically removed from the available devices. However, applications with the “USB-UNRESTRICTED” permission will be able to access these devices.
In addition, the system verifies if the device is on the application’s list of permitted devices. If not, access is denied. The system also checks if the accessible interface is protected, and if the application does not have the “USB-UNRESTRICTED” permission, access is restricted.
Google plans to begin testing the Unrestricted Webusb function in Chrome 128, which is set to be released