cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Fully support Web USB and Web Serial

ali1234
Making moves

Web-based IDEs like Arduino and Github Codespaces are now commonplace. They are hobbled in Firefox due to an inability to access development boards without installing extra system software, which rather defeats the purpose of having an IDE that runs in your browser. This is not the case on Chrome, where Web USB and Web Serial can be used. (Clarification: they *could* be used on Chrome, but often are not because developers don't want to maintain two separate codebases.)

I will preempt the response I have received every previous time I brought up this topic: Web USB and Web Serial present no more of a security risk than web camera or location data, and Firefox already has a permissions system to protect those. On the other hand, the software you have to install to make Arduino IDE work in Firefox starts a webserver that shares your serial port over a websocket, just so that your browser can connect to it. It isn't clear if there are any protections at all on that websocket.

I will also note than the current prevalence of web-based development environments is in part due to Mozilla's insistence that everything should be able to run in the browser, along with projects like Firefox OS.

https://developer.mozilla.org/en-US/docs/Web/API/Web_Serial_API

https://developer.mozilla.org/en-US/docs/Web/API/USB

43 REPLIES 43

please kindly stop taking over a thread with (presently) unexplained, and unkind accusations.

adding these protocols is a valuable tool for access to local external hardware with user's consent, and the security measures are in exactly that: the user's consent, the activation of them. any proper implementation would require human user input before webserial could be activated which is what chrome also does, and the whole feature could, and should, be locked behind an about:config flag as it's a feature many common users (seemingly such as yourself) do not need, as they have no reason nor purpose. the people here are advocating for adding it behind such a flag, for our specific use cases, as being behind an about:config flag would keep common users safe while giving us the tools we want, that firefox needs to be able to compete in terms of browser market share in the modern era.

please kindly source the reasons for your argument and explain them in the future, and explain why you are so passionate about being against this, as lack of civility nor explanation add nothing to the discussion. if you have tangible constructive concerns, please tell us so we may counter with ways to mitigate those concerns, or new things mozilla should add to ensure it's not a security risk.

- A FOSS Loving Queer Trans Girl

Consider that Web APIs which provide access to hardware devices are significantly safer in terms of security than the present alternative: instructing the user to download a random executable that likely needs to run with administrative privileges on the machine. With Web USB, Web Serial, etc. access is limited to only the devices the user specifies (+ only to that specific origin), and I certainly trust web browser vendors more to not introduce silly bugs that lead to compromise of my machine — I mean, have you seen the quality of the utilities that hardware vendors come up with?

It's a win-win for users and manufacturers: users do not need to worry about installing highly privileged, potentially buggy software on their machine and instead just use a simple webpage; manufacturers do not need to worry about platform-specific implementations of hardware APIs, maintaining the utility software, pushing updates to users, etc.

I would also like to add that devices can implement a specific descriptor that defines the origins that the device trusts to access it. Why not begin with an implementation which allows only a device's trusted origins to access it, and hide a "show all devices" option behind about:config? This would eliminate a big chunk of risk.

exactly this, thanks for putting more words to the point

- A FOSS Loving Queer Trans Girl

ukoda
Making moves

I'm working on a high end consumer audio product that charges via USB and was looking at using a web app to configure the product without forcing the user to install an app on their phone or PC that they will probably only ever use once during initial set up.  Web USB serial access is a perfect fit for this use case.  I have been using Firefox since before it was called Firefox, back when it was in beta around ver 0.7, so find it disappoint I would have to give the classic "We only support Chrome and Edge" response to visitors looking to set up their product.