[justinschuh]

Sorry, you seem to have misread my statement. Everything you just listed are devices that the OS already natively binds. I'm not aware of anyone considering WebUSB implementations that would unbind native devices and expose them to the Web. Rather, the device-level risks for WebUSB primarily center around devices/interfaces that are not in well-known classes or otherwise are not natively bound and may expose dangerous interfaces (e.g. security credentials, unsigned firmware flashing, etc.).

[ZenoArrow]

Every USB device that the browser has access to will have a driver that the OS uses to expose its functionality. It doesn't matter whether that driver is built into the OS or not, the OS driver would still exist. The only other option is if the browser is managing hardware outside of the control of the OS by running with lower level privileges, but that opens up an even bigger security risk.

You suggested in another comment that you had some prior background in this area, are you involved in the development of this new web API?

[pcwalton]

> You suggested in another comment that you had some prior background in this area, are you involved in the development of this new web API?

Justin Schuh is a Chrome security engineer and is one of the most knowledgeable people on the planet when it comes to browser security. He knows what he's talking about more than virtually anyone else in this thread.

[bobwaycott]

I'm not saying I disagree, but this reeks of argument from authority. Plenty of knowledgeable people make mistakes—because they're all fallible.

[kibwen]

This is not argument from authority. You're free to believe that Justin Schuh is a fraud, or a moron, or just plain wrong in this one instance, but when a person who is an expert in a subject makes a statement that is pertinent to that subject, that is merely called "expertise".

[justinschuh]

This response just doesn't make sense given that modern OSes expose USB through much higher-level device management and communication APIs. Those are the APIs browsers use, and I've already explained that browsers shouldn't unbind and then expose a device that the OS or another native application has already bound. So, I really don't understand what argument you're trying to make here.