[lxgr]

> more or less a supercookie of your browser instance.

That's really not what it is though, is it?

These capabilities will be rolled out for all users of a given browser, or even for a given rendering engine, and I'd assume that your browser family is already easily fingerprintable. In other words, they are all highly correlated.

Things like installed fonts, window sizes, your clock drift etc. are a different story. These lower-correlation measurable properties are the real supercookie problem.

[hedora]

It lets you enumerate all the USB crap on the bus.

My desktop has 12 things on the bus. 8 are soldered on to the motherboard, and 4 are plugged in. There are at least 32 choices for each of the things, so that’s 5 bits of entropy per device — 7 bits, ignoring the motherboard.

[nolist_policy]

But only if you allow WebUSB access, which the browser will ask you first.

If you allow Camera access you get a metric ton of bits.

[hedora]

The author of the sample code implies it will run without prompting.

[lxgr]

No, but the browser reveals that it generally supports these APIs, letting the site know that there is a point in even prompting.

[lxgr]

I mean, if you grant USB access to an untrustworthy web site, it's game over – you can probably just read the serial number of at least one of these devices over USB.