Does this mean that box of random D-types I've got in the loft will be worth selling on eBay?
You can finally control serial devices from Firefox
Firefox will soon be able to communicate directly with your 3D printer. Thirteen years after the idea was initially proposed, the Web Serial API has landed in Firefox Nightly, Mozilla's work-in-progress channel for its browser. Web Serial allows browsers to interact with devices that communicate via serial ports, such as 3D …
-
Tuesday 14th April 2026 21:35 GMT Androgynous Cupboard
I know this one!
I used this API very successfully to create a UI to control an industrial lighting controller I designed a few years back - super useful being able to represent the internal state with graphs and controls in HTML, and it made updates a breeze as I could flash it from the web-page too.
The UI only worked in Chrome as a Chrome app, and Google (inevitably) pulled the rug out from that a few years later, necessitating a complex workaround. Great to see it in Firefox - it’s pretty useful.
-
-
Tuesday 14th April 2026 23:45 GMT Androgynous Cupboard
Re: I know this one!
Ah, the inevitable knee jerk “browsers are inherently unsafe” response. In fact for this case the opposite is true if you think about it..
First, the user has to select the device and approve the connection - you can’t sneakily connect to devices. Second, this is happening from a sandboxed and very well tested browser, not some random binary supplied by the hardware manufacturers you’re just supposed to trust.
Anyway, security comes from the process not the tools.
-
-
Wednesday 15th April 2026 03:27 GMT Jamie Jones
Re: I know this one!
Well, that's for servers. If you're talking about desktop computers, then install a driver. How do you think all other applications (including browsers) have printed/scanned/played music/taken videos before?
Accessing and controlling the hardware is the job of the OS not the browser.
And I know you're not talking about the other shite I mentioned, so this isn't directed at you, but relating to the "am I unique" link I posted, what possible good reason is there for a remote website to know the state of my battery without my say so or control? "so if you're low, it can serve you a lighter version of the page". FFS, What next? Knowing how hungry I am before showing food ads? Measuring my heartrate so as to determine whether to play jump-scare videos?
-
Wednesday 15th April 2026 11:40 GMT Bebu sa Ware
Re: I know this one!
"Measuring my heartrate …"
The slippery slope; the thin end of the wedge… as sir Humpty would have said.
Before long pornhub et al. wiil be interrogating your cardiac pacemaker to determine whether the requested "instructional" video might be safely played. "Sorry Dave, I can't do that."
-
-
-
-
-
Tuesday 14th April 2026 22:01 GMT Jamie Jones
NO!
Stop adding shit to a *browser*
I want to look at web pages, not control the network. And look how much crap is already thrown out to fingerprinters out there.. I don't want any of it. Just render a web page.
-
Tuesday 14th April 2026 23:53 GMT steelpillow
Re: NO!
YBMTI. Soon, all we will need is SystemD and that Any Modern web browser, and wee're all pwwned Cap'n Mannering, pwwwnd I tell ye!
Even HTML5 Sucks
-
Wednesday 15th April 2026 12:16 GMT Bebu sa Ware
Re: NO!
Mr Inchbald really went to town with html5.
Unforgivably, he is probably right.
Html + css (any version and combination) always seems like a dogs breakfast (or vomit) to me, with java/ecma·script to rub your nose into the mess.
Fortunately I never had to concoct anything that required more than some basic html and css - using vi of course.
I suspect more than a few "web designers" are on a permanent secondment with the pixies. The highly dynamic and graphic web site that the designer thought text might be best styled dark fecal brown on a pitch black background would be effective - not presumably meaning readable - is enough to turn a life-long opponent of capital punishment.
"pwwwnd I tell ye!" - Certainly dooomed!
-
Wednesday 15th April 2026 14:01 GMT Androgynous Cupboard
Re: NO!
That would be HTML and CSS, the most widely used document model in the world by many orders of magnitude? The one used for billions of page views a day, that can give identical layout in software by multiple manufacturers on multiple platforms, that works on our desktop and your phone in every language in the world, that has best-in-class support for accessibility and that that is an editable, open, documented text format not a proprietary binary one? The one with an open test-suite running to over 60,000 tests? Yeah, it sucks alright.
As with Brexit, the good old days you want to go back to are largely imagined. Here is some HTML I wrote for a contract in February 1996:
<HTML><HEAD><TITLE>Netscape NNN prototype</TITLE></HEAD><BODY BACKGROUND="gif/paper.jpg" BGCOLOR=#ffffff LINK=#ff0000 VLINK=#ff00ff TEXT=#000000><center><FONT SIZE=5>Welcome to the Netscape Web NNN prototype</FONT></center><TABLE CELLSPACING=25><TR VALIGN=top><TD WIDTH="50%">To run this prototype you will need:< UL>< LI>Netscape Version 2.0 beta 5 or later. < em>Please note that releases prior to beta 5 will not work</ em></ LI>< LI>A monitor displaying at least 800x600 in 16 colours</ LI></ UL>... etcThat's 30 years old and yet will still render roughly correctly in modern software - as markup formats go, I'd guess only PDF can make the same claim - and it's already using EM not B, making Steelpillow's blog ranting about the modern "tale of em and strong" look a little silly. And it's nasty: arbitrary colors and sizes hard-coded in, no ability to adapt on smaller screens, no "dark mode". The semantics of HTML are largely unchanged - what's really changed is the ability to focus on just semantics in the HTML, and push all styling into the CSS. You think it's a step backwards? Convince me that "font size 5" was better, and I'll believe you. A bit later in the above document I felt it necessary to tell the user to "turn off underlining to improve appearance". Halcyon days they were not.
-
Wednesday 15th April 2026 14:51 GMT Anonymous Coward
Re: NO!
Ah, CSS, that *wonderful* styling language that 15+ years on still has no clear and simple way to put this Thing beside that Thing, oh, no, you need thirteen variously nested div's to carry the placement and sizing rules because you can't put certain properties on certain other tags for Reasons.
> that can give identical layout in software by multiple manufacturers on multiple platforms
Mmm, yes, it's so cross-platform it has to have eleventy-gazillion unique sections with guard rules to only load this or that bit for this or that browser(-version)+platform combination. I thought the whole point of CSS was to style it once and the browsers were supposed to all show things the same almost down to the pixel? (Modulo font selection, but hey, why rely on local default fonts when you can load another couple megabytes from $dog only knows where?)
Have you ever inspected the gigantic mess that is a "modern" web page? Have you ever tried visiting a site from a variously old but otherwise ought-to-be-just-fine computer, on a connection that 30 years ago would have been blistering fast?
Never mind even that case; consider a computer made in the last 5 years, connected 1 hop off a carrier gigabit backbone, which *still* gags and stutters if I don't have NoScript installed because of all the CSS+JS crapware.
-
Wednesday 15th April 2026 15:12 GMT Androgynous Cupboard
Re: NO!
You don't need 13 nested divs to do anything, but there are plenty of people that do it that way. There are many shit web-designers, just like there are plenty of shit programmers, piling on complexity in lieu of understanding. This shouldn't be a surprise.
Guard rules, I genuinely have no idea what you're talking about. Are you referring to the old MS IE hacks that people still include despite the fact the MS IE literally no longer exists? See previous observation. Same for 1GB web pages. Modern CSS can, and does, style down to the pixel - see those 60,000 tests, some of which I've written so I do know what I'm talking about. The results are quite literally pixel perfect.
The irony of a bunch of people that clearly haven't spent the time to understand modern HTML and CSS, using the output of other people that don't understand modern HTML and CSS to complain about modern HTML and CSS is not lost on me, but may be on you. Learn to properly use the tools you've been given, that is my advice. Like the tools, it is free of charge.
PS. "put this thing beside that thing", assuming beside means horizontally - well you could try CSS anchor positioning for any arbitrary thing in any arbitrary hierarchy, or you could use...I dunno, flex, or grid, or inline-block layout, which for the trivial case you describe will give you 100% predictable results on any Browser written in the last ten years. HTH.
PPS. "on a connection that 30 years ago would have been blistering fast?" - I could not illustrate my "Brexit" point in my previous comment any better, thank you. My 56kb modem from 30 years ago would like a word.
-
Thursday 16th April 2026 09:13 GMT richardcox13
Re: NO!
Ah, CSS, that *wonderful* styling language that 15+ years on still has no clear and simple way to put this Thing beside that Thing, oh, no, you need thirteen variously nested div's to carry the placement and sizing rules because you can't put certain properties on certain other tags for Reasons.
Not true for quite a while now. In fact almost trivially easy these days thanks to
display: flex. You do need a common parent element, but that's likely already there.
-
-
-
-
-
Wednesday 15th April 2026 19:47 GMT Jamie Jones
Re: NO!
You missed the word "Just".
And when bloat is added to something, and potentially becomes a security risk, "don't use it if you don't want to" is a dumb statement.
I don't want sites fingerprinting my GPU specs, battery status, screen size, or how many fonts I have installed on my system, but unless I disable JS completely, I can't stop them.
-
Wednesday 15th April 2026 21:24 GMT DrXym
Re: NO!
There is no such thing as "just" in a modern browser. Modern browsers are able to read from disk, render webgl, communicate with joysticks, use local storage, get location, show notifications, go fullscreen, control VR, control microphone/camera/speaker, show video, implement websockets / web transport and a bunch of other things.
Where is your line in the sand? "Just rendering content" is a meaningless statement unless your idea of content is ancient content which does none of these things.
And no it's not dumb to say don't use it. Browsers requite explicit consent to access the serial API. If you don't want to use it say no. Not that you're likely to be asked unless you use a site which needs it, for programming arduinos, or drones or whatever. And if you're paranoid about even that, then disable it altogether.
-
-
Thursday 16th April 2026 03:55 GMT steelpillow
Re: NO!
>You are not compelled to use it if you don't want to. And last I checked browsers, do in fact render web pages and will continue to do so.
Bollocks.
My bank and my doctor both demand I access them through their bloody web forms.
And my browser does not render those enshitiified excuses for a receptionist with full functionality.
-
-
-
Tuesday 14th April 2026 22:21 GMT DS999
This is NOT needed
Browsers are not an operating system, they don't need to be directly accessing USB, serial, and other devices. I get that Google wants to kill "apps" by making everything run in a browser, so that they can take a big cut from their advertising but Firefox should not be wasting their time implementing these stupid "standards" Google pushed through.
-
Wednesday 15th April 2026 00:56 GMT david 12
Re: This is NOT needed
By the same token, browsers are not an operating system, they don't need to be directly accessing the internet.
I understand the idea that browsers should only be GUI interpreters, with all the HTTP stuff handled by the OS, but that's not how OS's were (or are) built. If there was a generic connection-agnostic backend that browsers used, I'd be happy to use that. But there is not. When the OS's starting providing a cross-platform Web API that is os-agnositic and connection-agnostic, I'll be happy for the HTML renderers to use that. Until then, they need to provide the functionality that is missing.
-
-
Wednesday 15th April 2026 17:08 GMT martinusher
Re: This is NOT needed
...and the protocols they use are embarrassing hacks. The worst is http itself -- it takes TCP, a protocol that's ironically designed to emulate a serial terminal over a network and adds the framing mechanism from FTP to convert it back to a datagram oriented protocol. It being text oriented it can't efficiently transmit binary. It really is a mess.
Most programmers don't have a clue about the firestorm of network chaos unleashed by a simple page load. Obviously there are tweaks and hacks but just adding in WiFi to the mix generates yet more traffic. Obviously there's been lots of tweaks and mods to the protocols over the years but if you start with a fundamentally flawed foundation then all you do by tweaking it is you add complexity which may or may not work (what you do in practice is demand more processing power and network bandwidth until you end up using the equivalent of what used to be a half-decent mainframe to just load a web page -- and that's without the entire advertising ecosystem trying to get in on the act.
-
Wednesday 15th April 2026 23:01 GMT Androgynous Cupboard
Re: This is NOT needed
> The worst is http itself -- it takes TCP, a protocol that's ironically designed to emulate a serial terminal over a network and adds the framing mechanism from FTP to convert it back to a datagram oriented protocol. It being text oriented it can't efficiently transmit binary. It really is a mess.
Er, what? Of course it’s not text oriented, where on earth did you get that from? For streaming a large binary file it is on par with any other TCP stream. For short files the headers are a bit wordy, but HTTP/2 and SPDY improve on that.
As for “FTP framing” and “datagram oriented” (in TCP?!?), if you mean chunked encoding that is possible but certainly not the norm.
-
-
-
-
Wednesday 15th April 2026 02:36 GMT Pulled Tea
Re: This is NOT needed
You know what this means — you've got serial device control on your browser, next step is to make your browser the window manager— oh, shit, lol.
-
Wednesday 15th April 2026 08:35 GMT VoiceOfTruth
Re: This is NOT needed
I agree, but there are a couple of "but"s.
But 1. The browser is a code execution environment, it has built in password management, file handling, resource management, and so on. So it is similar to an operating system in those respects.
But 2. For anyone who actually wants to do this, Firefox will disqualify itself by default if it doesn't provide it.
But I do agree 100%. Firefox should concentrate on making a browser.
-
-
Wednesday 15th April 2026 05:37 GMT Benegesserict Cumbersomberbatch
And here was me just last night coming to terms with the otherwise apparently reasonable keyboard manufacturer who, rather than write software to support their device on Win/macos/Linux/*BSD, use... (wait for it) a web app!
Now the only thing I need to be worried about in respect of web security is anything one can use a keyboard to make my computer do.
-
-
Wednesday 15th April 2026 12:23 GMT Bebu sa Ware
Re: Serial links?
"telnet:// URI"
I didn't believe that the first time I saw it in the late '90s where users on Win9X(?) boxes used IEexplorer to login into my Unix server to read their email with pine.
In essence only a convoluted desktop bookmark or shortcut to the Windows telnet client.
-
-
Wednesday 15th April 2026 12:28 GMT tiggity
"Six years ago, Mozilla opposed Web Serial as unsafe."
Hands up who thinks this is more slippery slope from the (unfortunately for quite a while now slippery) folk now in charge of FireFox.
Just waiting to see when the USB API red line also crumbles.
I'm assuming it's based on the idea that most common peripherals are USB these days, so serial devices more likely to be used by hobbyists / enthusiasts?
-
Wednesday 15th April 2026 12:53 GMT DrXym
I used this the other day
I bought an Xteink x4 device which is a tiny e-reader powered by an ESP32. I wanted to install custom firmware and I was able to plug the thing into my computer, and flash it straight from the website using the browser over serial. This was WAY easier than having to download some flash software and arguably a lot safer.
-
Wednesday 15th April 2026 13:18 GMT retiredFool
Re: I used this the other day
It may have been easier, but it certainly is not safer. Having that extra step of downloading and then having another step to flash it is safer. Why, well, one you'll think about it a little more. two, you may have a sha code that you can validate the download is really the download you thought it was. Its not like people have not poisoned some repositories lately.
Generally you give up security for convenience.
-
-
-
Wednesday 15th April 2026 22:16 GMT Androgynous Cupboard
Re: I used this the other day
Just want to note I have had that sort of install process render a machine unbootable after installing a kernel module in the wrong place, trashing the kernel boot arguments and rebooting, unaware I used nfsroot.
But of course, it’s browsers that are insecure and that we should all be worried about.
-
-
-
Wednesday 15th April 2026 18:45 GMT DrXym
Re: I used this the other day
Requiring me to download the firmware AND some launch some random flash software is not safer. I was able to directly flash straight from the browser into the device over the API without running any questionable executable that might have decided to root my machine when it was launched.
-
Wednesday 15th April 2026 19:08 GMT DS999
Re: I used this the other day
If a "questionable executable" can root your machine why do you trust that code running in Chrome won't?
Just look at all the browser based exploits that are constantly found and reported - and look forward to that flood possibly becoming a tidal wave soon when the Mythos patches start to hit.
If you have to download a dodgy executable it is trivial to run it under a dummy user in a chroot jail or a container or something.
-
-
-
Thursday 16th April 2026 08:03 GMT DrXym
Re: I used this the other day
I don't know why you need to blink to understand this. Chrome and other browsers are purposefully designed to protect you and have been security hardened for the purpose they were made for.
It does NOT mean there are no exploits, and I am not saying that. But if there are exploits, it is outside of some serial API which exists for a specific purpose which happens to negate the need to run additional software on a computer for specific use cases.
This should be obvious just by thinking about it.
-
-
Friday 17th April 2026 09:06 GMT DrXym
Re: I used this the other day
Two reasons - 1) security works in layers, something running in a browser has to get through that to get to the operating system, 2) a native executable on your desktop bypasses that protection and has a multitude of ways of exploiting the operating system and user to elevate privilege to do something they would not be allowed to do normally.
This is a simple fact, it's obvious and this discussion is absurd.
A tightly controlled serial API in a browser is better from a security point of view than the alternative, of having to use a multitude of untrusted executables to flash firmware, communicate with an EPOS device, program / debug an arduino, program a drone, send print instructions to a CNC / 3d printer, read a web page as braille etc. etc. which are all things this API is there to enable.
-
Friday 17th April 2026 14:12 GMT Androgynous Cupboard
Re: I used this the other day
We're still going on this? OK.
- Running JS in the browser: the security risk is that someone breaks out of the browser sandbox and is able to run arbitrary commands.
- Running a program or script: they're already able to run arbitrary commands.
DrXym gets it, but I'm kind of surprised we're having so much trouble getting this across. Do I trust Google or Mozilla? No. Do I trust them more than random company X not to attack my computer, accidentaly or intentionally? Yes.
The browser in this context is an additional layer of security - no one claims it is perfect, but removing it does not make things more secure.
-
-
-
-
-
-
Thursday 16th April 2026 08:15 GMT DrXym
Re: I used this the other day
And it's a completely falacious and absurd assertion because the number of people who are capable of and motivated to run a container configured to talk with a real serial port is diminishingly small and it wouldn't even stop CPU / timer attacks because the code is still running natively.
Also Mythos will find bugs all over the place I'm sure, including within browsers. It still does not follow that the solution therefore is to download and run some dodgy executable instead through that same browser.
-
Thursday 16th April 2026 18:07 GMT DS999
Re: I used this the other day
the number of people who are capable of and motivated to run a container configured to talk with a real serial port
This is what the absurd assertion is.
Serial ports are WAY outdated. If you have a need to communicate with them you're deep in the territory of "hobbyist" or some specialized business need to interface with outdated equipment. Both categories are EXACTLY the type of people knowledgeable enough to be capable of this, and if they are worried about the security of "running a random app" they would easily be motivated (if they don't already know) to figure out how to set this up - or maybe ask Claude, I bet it could produce a script for you to do this in a few seconds!
-
Saturday 18th April 2026 18:27 GMT DrXym
Re: I used this the other day
Maybe you should google what serial means in this day and age - hint: lots of USB devices are communicating over serial. Everything from braille readers, microcontrollers, drones, CNC / 3D printers, EPOS terminals. Lots of stuff. Being able to do it from the browser cuts out the need to run software natively which improves convenience and security.
I honestly do not understand what you're trying to argue for here aside from some kind of Amish browser - "this much and no more". If you're so keen on Claude ask it "what benefits are there to the serial API running in the browser", or "what uses cases are there for a serial API in the browser". Enlighten yourself.
-
-
Tuesday 21st April 2026 12:25 GMT Androgynous Cupboard
Re: I used this the other day
No. Putting a locked room in a locked room does not increase the attack surface. Putting an extra door into a locked room, that does increase the attack surface. The key word is "layer" - don't make me explain series vs parallal or the concept of security-in-depth.
General statements about security are begin shared as gospel here, but they are a poor substitute for spending the time to think about the specifics of this problem.
PS. the "all USB devices are serial" is true at some level, of course, but it's also true that many don't present as a serial device to the OS. My monitor is connected over a USB-C cable, but it's a stretch to say it's connected as a serial device. None of these devices would be accessible to the API this article is about.
-
-
-
-
-
-
-
-
-
Wednesday 15th April 2026 23:21 GMT saltycupcakes
This is niche but quite useful.
This is really useful for flashing ESP32s and Arduinos without needing a compiler, I have to keep Chrome installed on my desktop just for this purpose, with this change I will be able to get rid of it.
The security and fingerprinting concerns are overblown (I suspect its just an excuse the devs came up with because they couldn't be bothered to implement it), on Chrome it can't be used for fingerprinting, trying to open a webserial connection opens a prompt in Chrome to select which device you want to expose, the website is not told what device you attached or how many there are (if any). I think if someone has a serial adapder attached that links to another system with passwordless sudo access and they click on that device and then click confirm when prompted they have a bigger problem than webserial.
