New WebUSB API unofficial draft published

Apr 11, 2016 12:27 GMT  ·  By

Two Google developers, Reilly Grant and Ken Rockot, have uploaded an unofficial (for now) draft to the World Wide Web Consortium's Web Incubator Community Group (W3C WICG) that describes a method of interconnecting USB-capable devices to Web pages.

The WebUSB API draft, published on March 21, describes an API (Application Program Interface) that will provide a safe way to expose USB-capable devices to Web services.

This API doesn't address USB thumb drives as some of you might think, but all devices that connect to PCs through USB ports, and can vary from USB keyboards to complex Internet of Things (IoT) equipment.

WebUSB wants to connect hardware to the Web

But don't get your hopes too high. As the two Googlers explain, "WebUSB does not attempt to provide a general mechanism for any web page to connect to any USB device." Its role is to make this process simple, not universal.

The two developers explain that the train of thought behind this API is to provide a standard technology that browser vendors will adopt inside their products and to provide hardware manufacturers with a base on which to build devices with Web capabilities out of the box.

"With this, API hardware manufacturers will have the ability to build cross-platform JavaScript SDKs for their devices," the two developers explained. "This will be good for the web because, instead of waiting for a new kind of device to be popular enough for browsers to provide a specific API, new and innovative hardware can be built for the web from day one."

Security and privacy are a big concern

The concept is simple, but as the developers explain, the biggest concern regarding the new WebUSB API is not the actual code that powers this functionality, but the security and privacy issues.

Because USB devices and computers automatically trust each other, developers plan to build a system that resembles CORS (Cross-Origin Resource Sharing), employed by browsers to prevent page resources (fonts, JS scripts) from requesting data from other domains except the one from where they originate.

Because an attacker could write malicious code that uses the WebUSB API to scans the user's computer for all available peripherals and their serial numbers, this allows third-parties to abuse the API and collect data on all site visitors to identify and fingerprint users. This CORS-like system for the WebUSB API aims to limit direct access to (all) peripherals.

WebUSB's security protocols will treat each USB device as a different origin source, just like CORS treats domains. The API will require developers to specify what device to access, what parts, and then prompt the user for authorization to allow a site to detect the presence of a device and connect to it.

A simple example of how to use WebUSB

To better understand it, let's explore an example. Let's say site owner A wants to support 3D printing whenever users press CTRL+ALT+P.

All he has to do is include a hidden iframe with setup code from the 3D printer's manufacturer.

With the WebUSB API already supported inside browsers, plain ol' JavaScript code from inside the iframe will prompt the user for access to his 3D printer. Because JavaScript commands can be exchanged between site A and the 3D printer manufacturer's iframe, instructions can be sent to the 3D printer from site A via the iframe.

Site A can ask (via the iframe) the user to approve access to his computer, and even specify which commands he wants to run, just like the permissions on an Android phone.

Once commands reach the vendor's iframe, loaded on site A, the WebUSB API takes that JavaScript code, checks user permissions, relays it to the computer's underlying USB drivers, which will then send it to the device.

WebUSB is backward compatible

The way in which the two Google engineers designed the API allows even previously manufactured USB-capable devices to work without needing special firmware.

"For devices manufactured before this specification is adopted information about allowed origins and landing pages can also be provided out of band by being published in a public registry," the two wrote.

The WebUSB API is available online on WICG's website, and it's still considered unofficial. Developers and vendors who want to make suggestions can do so by visiting its GitHub repository.