Skip to content

Commit

Permalink
WebUSB is worse than I remembered (#368)
Browse files Browse the repository at this point in the history 
The requirement that a device be aware of what is connected to it was
removed from the WebUSB spec.

This removes the unnecessary comparative language.
  • Loading branch information
@martinthomson
martinthomson authored Jun 17, 2020
1 parent b6e851a commit ff265d7
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion activities.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -992,7 +992,7 @@
"id": "web-bluetooth",
"mozBugUrl": "https://bugzilla.mozilla.org/show_bug.cgi?id=674737",
"mozPosition": "harmful",
"mozPositionDetail": "This API provides access to the Generic Attribute Profile (GATT) of Bluetooth, which is not the lowest level of access that the specifications allow, but its generic nature makes it impossible to clearly evaluate. Like <a href=\"#webusb\">WebUSB</a> there is significant uncertainty regarding how well prepared devices are to receive requests from arbitrary sites. The generic nature of the API means that this risk is difficult to manage. The Web Bluetooth CG has opted for weaker protections than those in WebUSB, which require active consent to communicate from the device. This proposal uses a blocklist, which will require constant and active maintenance so that vulnerable devices aren't exploited. This model is unsustainable and presents a significant risk to users and their devices.",
"mozPositionDetail": "This API provides access to the Generic Attribute Profile (GATT) of Bluetooth, which is not the lowest level of access that the specifications allow, but its generic nature makes it impossible to clearly evaluate. Like <a href=\"#webusb\">WebUSB</a> there is significant uncertainty regarding how well prepared devices are to receive requests from arbitrary sites. The generic nature of the API means that this risk is difficult to manage. The Web Bluetooth CG has opted to only rely on user consent, which we believe is not sufficient protection. This proposal also uses a blocklist, which will require constant and active maintenance so that vulnerable devices aren't exploited. This model is unsustainable and presents a significant risk to users and their devices.",
"mozPositionIssue": 95,
"org": "Proposal",
"title": "Web Bluetooth",
Expand Down

0 comments on commit ff265d7

Please sign in to comment.