[hedora]

It lets you enumerate all the USB crap on the bus.

My desktop has 12 things on the bus. 8 are soldered on to the motherboard, and 4 are plugged in. There are at least 32 choices for each of the things, so that’s 5 bits of entropy per device — 7 bits, ignoring the motherboard.

[nolist_policy]

But only if you allow WebUSB access, which the browser will ask you first.

If you allow Camera access you get a metric ton of bits.

[hedora]

The author of the sample code implies it will run without prompting.

[lxgr]

No, but the browser reveals that it generally supports these APIs, letting the site know that there is a point in even prompting.

[lxgr]

I mean, if you grant USB access to an untrustworthy web site, it's game over – you can probably just read the serial number of at least one of these devices over USB.