[crote]

Unfortunately it also opens up the door for so many new exploits.

A lot of hardware has very minimal protection against attacks, because the general idea is that anyone able to run software on a machine could also just trivially physically attack the device itself. The result is that you can often update device firmware over Bluetooth or USB.

Allowing random websites to suddenly have unlimited access to poorly-secured devices is a terrible idea. Google's opinion seems to be that a permission popup is enough, but you get basically identical popups for a website wanting to send you notifications, get your current location, or completely own your physical hardware.

[buildfocus]

> you get basically identical popups for a website wanting to send you notification

Last I saw, that's not really true - you get asked for BT access in general, but then you have to directly select the device you want the site to connect to once scanning happens (site can specify basic filters to limit devices shown, but little else). Sites can't see what devices are available until you actively select the device from the browser UI, and can't just show you a 'click to give full access to BT with everything'.

[madacol]

> Unfortunately it also opens up the door for so many new exploits.

Put the door behind a permission the user has to explicitly activate, and if you are still concerned, add more friction to the process, or in this case, argue for a better permission system, but please do not argue for "infinite friction" (a.k.a prohibiting, banning, censoring)

If you still think we should not do this because users won't care and will accept any permission anyway, then you are arguing against the freedom of users to have control of their devices and run whatever algorithm they want on them