Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Slightly tangential, but I still find it fascinating that it was Firefox OS was the first to introduce the idea of adding all sorts of hardware APIs accessible from JavaScript, or at least that was the first time I heard of that idea and played with it (and still have a ZTE phone from the time), but, after the Firefox OS was discontinued, they essentially stopped being interested in those capabilities altogether and started to even actively discourage others from exploring it.

I guess it makes sense from business perspective, but I still believe in the original idea of making more powerful apps with Web technologies, even though the companies that work on those ideas changed over time.



Yeah, I’m sad that Firefox OS died.

Firefox OS needed those sorts of things for its “apps” since it had no lower-level “native”, and I think that they were only exposing features like that to trusted code (meaning apps you deliberately installed) rather than general web content, until they could be sure it was reasonable.

I think they also designed the OS with a better peripheral security model than Windows/Linux/macOS, nullifying or mitigating one of the two critical problems of WebUSB (that the computer trusts peripherals too much, so that one that’s hijacked can more easily become a remote code execution vulnerability).

(I write all this as one who kept a fairly close eye on Firefox OS, but has never run it.)


> and I think that they were only exposing features like that to trusted code (meaning apps you deliberately installed) rather than general web content

I'd actually be pretty happy if browsers chose to implement those APIs with the same restriction in mind - that is, only for explicitly installed PWAs. I said this elsewhere in the past, and I still think that's a reasonable restriction that could provide a path forward.

> or mitigating one of the two critical problems of WebUSB (that the computer trusts peripherals too much, so that one that’s hijacked can more easily become a remote code execution vulnerability)

I'm not very well-versed in the details, but I believe that's also the reason why WebUSB (or Chromium implementation of WebUSB?) doesn't allow certain classes of devices to be ever accessed via that API.


Limiting it to installed apps still has the problem of users blindly agreeing to something that is fundamentally super dangerous. I don’t believe installing PWAs currently exposes any new security surface, so this would be a significant change, and worse still a persistent hazard with probably no indication of what’s going on when it’s in use. I think there’s still potential in the general concept, but it’d take work and is certainly not ready yet in any browser.

Yes, certain classes are restricted from access via WebUSB for security, https://wicg.github.io/webusb/#protected-interface-classes. But as the note says, it’s about balance: that list is necessary for security, but not sufficient.


> Limiting it to installed apps still has the problem of users blindly agreeing to something that is fundamentally super dangerous.

Same can be said about native apps. Like with other hazards, in the end it's all about balance - you can't stop users from _ever_ doing stupid things.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: