back to article Chrome 89 beta: Google presses on with 'advanced hardware interactions' that Mozilla, Apple see as harmful

Google has released a beta of Chrome 89, adding further hardware interaction APIs even though Mozilla and Apple consider many of these features harmful, as well as introducing a desktop-sharing API for Windows and Chrome OS. New features in Chrome 89 to interact with hardware begin with the WebHID (Human Interface Devices) API …

  1. Chris Gray 1
    Thumb Up

    Good on 'em

    I for one will continue to support Mozilla and Firefox in this.

    The web, as Google sees it, is intended to be unsafe (from the user's point of view) and to provide Google with the maximum access to user information and the user's hardware. That's how they make most of their money, after all.

    1. RegGuy1 Silver badge

      Re: Good on 'em

      Defo. Chrome is shit. I didn't realise this until I used it to log into gmail. I found they were logging me into everywhere. Fuck off. I choose when I log in. And worse, by being logged in it became MUCH easier to buy stuff.

      Tha's why I like to be logged OUT of Amazon and elsewhere. I decide when I log in.

      Chrome is just a tool to collect data. And ChromeOS, poo, poo, poo.

      Just poo.

      1. overunder Silver badge

        Re: Good on 'em

        Need a $GME like event for browsers.

        #NoMoreGoo

    2. Aitor 1

      Re: Good on 'em

      What they want is a full OS like env with WASM, so essentially they could deploy full apps everywhere, as all devices have the same target.

      Oh, and essentially they want random ppl executing binaries that can access credit cards, etc. What could go wrong.. as if this hadnt been tried before.

    3. needmorehare

      Mozilla good, Apple bad

      Mozilla are doing this for noble reasons, Apple less so. Mozilla is positioning itself as the browser which actually protects user privacy, rather than just blocking a few cookies and adding a few tracking blocklists. With Firefox, you can isolate every site from one another with namespace-based isolation and enable proper fingerprinting resistance with a couple of simple about:config tweaks. Safari doesn’t do isolation unless you explicitly PWA things, which sucks by comparison but I guess is still better than nothing.

      The truth on the Cupertino end is that Apple doesn’t want to allow hardware interaction because it makes PWAs useful enough to act as a viable alternative to native apps from their App Store. Anyone who grew up with addictinggames and newgrounds knows what WASM+WebGL+WebUSB can do for those who want to build 2021’s equivalent of “free flash games” without the walled garden getting in the way.

      In reality, operating system security features can be used to mediate accesses to USB devices and a whitelist can be created of known safe devices (e.g. game controllers) while disallowing access to anything not yet known to be safe. After all, JavaScript and WASM are both huge risks which we have successfully made (mostly) safe through implementing sufficient security measures.

      1. doublelayer Silver badge

        Re: Mozilla good, Apple bad

        "The truth on the Cupertino end is that Apple doesn’t want to allow hardware interaction because it makes PWAs useful enough to act as a viable alternative to native apps from their App Store. Anyone who grew up with addictinggames and newgrounds knows what WASM+WebGL+WebUSB can do for those who want to build 2021’s equivalent of “free flash games” without the walled garden getting in the way."

        The important part there is WebGL. Which Apple supports already as they were part of the initial development group. The second-most important part is WASM, because some of the games won't get enough performance from JS. Apple supports that already too. The only thing they don't support is the USB API. And you can only attach USB devices to the computers which have USB ports, which are also the ones which don't require apps to go through the App Store. IOS devices do have the store requirement, but they don't really have much in the way of USB support anyway. So perhaps your accusation is a bit premature.

        Meanwhile, there are APIs to get keyboard, mouse, and other peripheral input. They don't need access to USB devices to do that. The quote in the article about implementing custom logic for old game controllers is pathetic, because nobody is going to include a hundred drivers for game controllers, all written in JavaScript, in a web game. That API's in here so Google can do everything from a web app, and while I don't think they have a nefarious purpose here--Chrome already has access to system-level USB if it wants--they haven't put a single thought into security vulnerabilities. Which there are, a lot of them. USB is used not only for peripherals but for some system components as well, more so on laptops. The attack surface is incredible.

    4. Claverhouse Silver badge

      Re: Good on 'em

      The web, as Google sees it...

      ...entirely belongs to Google.

  2. theOtherJT

    emacs

    They really need to stop trying to turn their web-browser into an operating system. I already have one of those.

    1. David 132 Silver badge
      Happy

      Re: emacs

      Only a matter of time ‘til Chrome implements SystemD.

      Or will it be the other way round?

      1. theOtherJT

        Re: emacs

        Don't give either of them ideas! The last thing we need is systemd-webbrowserd - and before anyone says "You don't need a daemon for an obviously client facing process like a web browser" I reiterate DON'T GIVE THEM IDEAS.

    2. ThatOne Silver badge
      Facepalm

      Re: emacs

      > They really need to stop trying to turn their web-browser into an operating system

      It's a great example of the dangers of the "because we can" mentality. It provides solutions to a problem very (very, very) few people have, at the cost of general insecurity.

      One would had thought that since the original WinXP people might have started realizing that granting generous access to peoples' computers was a sure recipe for disaster. Well, apparently not.

      Some years ago I once had a (real world) discussion with a developer who was trying to sell me on the idea of hardware-controlling Web apps. His enthusiasm was a joy to behold, akin to that of a little boy talking about a new toy, but he totally ignored my security considerations with the heavyweight argument of "Naah, who would do that?". Yikes. I definitely don't want stuff built by those people to run on my computer. YMMV, but please keep your botnets off my lawn.

    3. Missing Semicolon Silver badge

      Re: emacs

      When it is, it won't matter what you are running it on. You may as well buy a ChromeBook.

  3. IGotOut Silver badge

    Just wait...

    ...until Apple remove it from the store on privacy grounds

    Watch a rapid change of mind by Google.

  4. Boris the Cockroach Silver badge
    FAIL

    Looking at the

    RS232 bit , I'm thinking "eeeeeeeeeeeeeek Stuxnet made easy"

  5. Pascal Monett Silver badge

    "a single Share button that calls the operating system's sharing feature"

    What ? They've pushed that bull to the OS level ?

    Today's operating systems are turning into everything-and-the-kitchen-sink levels of madness.

    Looking forward to the day where I can have a toaster service to command my IoT toaster and set the darkness on the bread. Not.

    1. ecofeco Silver badge

      Re: "a single Share button that calls the operating system's sharing feature"

      "Are you sure you don't want some nice toast?"

      1. David 132 Silver badge

        Re: "a single Share button that calls the operating system's sharing feature"

        Ah, so you’re a waffle man?

        1. davidp231

          Re: "a single Share button that calls the operating system's sharing feature"

          "Ah, so you’re a waffle man?"

          You see? You see what he's like?

    2. Anonymous Coward
      Anonymous Coward

      "Today's operating systems are turning into everything-and-the-kitchen-sink levels of madness."

      You could say the exactly the same thing about a lot of programming languages these days.

    3. Not previously required

      Toaster / Toothbrush / Shaver

      Pretty difficult to buy an electric toothbrush or shaver now without a bluetooth connection and an app to "control" it. Still needs an on / off switch. I really don't need to log the cumulative time I brush my teeth, or transmit it to Philips, or have anybody predict when I have squeezed that last annoying bit of paste from the tube and re-order more for me.

      We need to oppose this nonsense which is bad for the environment and merely more data grabbing.

      Say NO to the Google Toothbrush!

      ps my grandchildren would defeat the marketeers - they clean everything but their teeth with the brush, and wave it around for minutes at a time in mid air.

      1. Cuddles Silver badge

        Re: Toaster / Toothbrush / Shaver

        I've not had a problem finding normal toothbrushes and shavers, but I did recently struggle to find ovens and washing machines that didn't insist on a wifi connection. The kitchen sink seems relatively safe for now, but I don't dare search for smart taps because I'm scared of how depressing the results will likely be.

        1. AndrueC Silver badge
          Flame

          Re: Toaster / Toothbrush / Shaver

          It's bad enough trying to find a tap that supports my house 'water network' already. It took me a couple of weeks to find a pair of bathroom taps that worked down to 0.1 bar. 0.2 bar taps do work upstairs but not particularly well. Tolerable for a small ensuite sink but not acceptable for the main bathroom.

          I'm still putting up with the 'low pressure compatible' kitchen sink taps. They claim to be 0.5 bar which in practice means that the hot tap does little more than dribble out. It's enough to fill a pan or the sink but you need the patience of a saint. I did find a 0.2 bar version but it was twice the price at nearly £300.

          I hate plumbing.

          P.S.: If anyone knows of a three way (hot, cold, drinking) kitchen tap with the hot/cold on a hose that works on less than 0.2 bar please tell me. Surely I'm not the only house left in the UK with a gravity-fed hot water system?

    4. davidp231

      Re: "a single Share button that calls the operating system's sharing feature"

      "Looking forward to the day where I can have a toaster service to command my IoT toaster and set the darkness on the bread. Not."

      See also: Linux Coffee HOWTO

      echo espresso && sugar > /dev/coffee

      echo darkness=2 > /dev/toaster

  6. Ken Hagan Gold badge

    ...regard Firefox as broken...

    ...right up to the day of the first exploit against these APIs and the "discovery" that only Chrome is affected.

  7. Jamie Jones Silver badge

    The opposite of MS

    MS were accused of absorbing the browser into the OS.

    Google are absorbing the OS into the browser.

    Stop it. The web browser is meant to be used to access websites, not be some great big security threat with access to everything.

    When the only tool you have is a hammer....

    And it's crap. Witness chromeOS. The only thing worthwhile on that is the Linux subsytem, and the android compatibility. Why did you add android capability, Google? So we could run an android BROWSER, or so we could run APPLICATIONS?

    I have some intensive android-only stuff (don't ask!) and fed up with the slowness of the converted android-TV box to android-desktop box (http://www.welshgit.net/photos/computers/desktop/android/), bought the most expensive Chromebox I could find.... It doesn't get used much.. The android parts run brilliantly fast, but the chromeos shite keeps getting in the way.

    Also, my mum's eyesight is very bad - she's legally blind. She tries to use a chromebook tablet because it's meant to have good accedsability features... So why do they insist that on a tablet that will never leave her house, she HAS to enter either a login password or PIN on startup?

    Why does it force start chrome everytime, despite the fact she's using android applications?

    Why can't the colour of the lower bar be changed so she can see it clearly? It's black - clashes with the color of the tablets case.

    Why, when you change the default "screen size" (fonts, image scaling etc) does the setting go back to default after reboot?

    As for Chrome, I had problems for a while debugging intermitently failing sessions on a site.... Turns out some of the links on the site (not mine) were linked to www.site.com and others to just site.com -- the session cookie was set for the exact domain only, and bloody chrome now doesn't show the "www" part of the address, so the 2 sites were reported as the same one... WTF?

    Also for chrome, I continually manually edit URLs in the URL bar. Now, every bloody time, you have to hit an extra "edit" icon to do the same.

    Youtube?? The recomendations page is now full of shite, and "stories" and a sorta crude tik-tok section. Oh, and the changes made to the "drag video position" bar are so brain dead, they have to be taking the piss.. Apparently it was because "people kept accidentally seeking to the end of the video when they wanted to actually hit "fullscreen". Yes, that was another bozo design cockup. The solution anyone normal would have done would have been to reduce the size of the seek-bar, so the fullscreen button is to the right of it, at a suitable distance, but no.. can't be logical, can we?

    And don't get me started on the number of scam videos youtube seems to not care showing.... Most generally have something like "the government wants to ban this", or similar, and then go on to make up more false claims about some gadget they see for 10times what you can get elsewhere.

    Phew, sorry, got into a bit of a rant there!

    1. dajames Silver badge

      Re: The opposite of MS

      ... why do they insist that on a tablet that will never leave her house, she HAS to enter either a login password or PIN on startup?

      The password on a Chromebook isn't a password for the Chromebook, it's a password for the Google account that the Chromebook is using. Without a password anyone could access that account from anywhere on any device.

      1. Jamie Jones Silver badge

        Re: The opposite of MS

        No, it's a password for the chromebook, that happens to be the same as the account one, and kept in sync with it.

        That's how you can still login without internet access, and indeed, you can set it to allow you to "login" with a pin instead of the password if you want.

        Granted, many of the apps within, (Chrome and android apps) are also tied to that login id by default, but that's no different than (say) an android phone - you don't have to have a password or pin to use the phone, yet your Googlie credentials will still be intact.

    2. ThatOne Silver badge
      Unhappy

      Re: The opposite of MS

      > I continually manually edit URLs in the URL bar. Now, every bloody time, you have to hit an extra "edit" icon to do the same.

      Be happy you still can access (view, edit) URLs! Mark my words, soon you'll need to use Google search to go to some site, the dirty technical stuff like actual URLs will be totally hidden to the "user". (For his convenience of course...)

      a. Most people already work like that: Even if they know the site's URL, they prefer going through Google search. Some even type the URL into Google search...

      b. For Google it's more/better information: That way they know at all times everything you visit.

  8. Howard Sway

    RE : Stop it. The web browser is meant to be used to access websites

    No, the Chrome web browser is meant to be used by websites to access you.

    1. Jamie Jones Silver badge
      Happy

      Re: RE : Stop it. The web browser is meant to be used to access websites

      Ha! I think you've got that right, unfortunately!

    2. zuckzuckgo Bronze badge

      Re: RE : Stop it. The web browser is meant to be used to access websites

      Exactly, the website is the customer and we are the product.

    3. davidp231

      Re: RE : Stop it. The web browser is meant to be used to access websites

      "No, the Chrome web browser is meant to be used by websites to access you."

      WIth Soviet Google, web browser accesses you!

  9. beekir

    For what it's worth, being able to access serial devices from a web browser will knock out a long-standing dependency on Internet Explorer (and plugins) for shipping departments across the world.

    1. IGotOut Silver badge

      That's a design issue. Someone decided to use a proprietary (obsolete) browser and fudge it rather than a native program, because...errmmm. No idea.

  10. Henry Wertz 1 Gold badge

    USB?

    Yeah, that's the last thing I need is to have some Javascript start interacting directly with my external hard drives, USB hub, and so on. I don't expect to be able to run ADB to my phone over the web either. I mean, it's fine to have these things exist I suppose, but I do hope they're off by default (I don't know, I run firefox.)

  11. Anonymous Coward
    Anonymous Coward

    The Internet connected directly to my hardware (thanks to Chrome)......

    So....I bring up Chrome, minimise Chrome, and get on with something else.....

    *

    ......what could possibly go wrong?

    *

    ......or did I miss something?

  12. six_tymes

    "that Mozilla, Apple see as harmful"

    So, it must be ok then.

  13. Chris Collins 1

    Why do they keep adding attack vectors to the browser?

    Google seem obsessed with making it a operating system by itself.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021