search

WICG / proposals

A home for well-formed proposed incubations for the web platform. All proposals welcome.
https://wicg.io/
Other
233 stars 16 forks source link

Only accept signed code for WebUSB #7

Open anga opened 4 years ago

anga commented 4 years ago

Note: This is my first time trying to write a proposal and I'm not a security expert. It may contain many missing pieces, but any feedback is welcomed.

Introduction

The new WebUSB draft API it's an amazing feature that may change how we think about webpages and webapps, but it lakes on security. Right now, the proposal says that a permission prompt is displayed to request access to a USB device. This is not completely safe, and privacy and security for a feature like this are crucial.

Use Cases

Put for example that a website has an XSS bug, that may introduce untrusted WebUSB device requests from an untrusted source. If that website usually requests access to your USB, the user may give access to the USB to untrusted code.

Goals

Proposed Solution

To solve this issue, the javascript file that is going to be executed and request USB access must be signed with the same SSL pub/priv keys.

Signing the source code allows the browser to automatically reject USB access to code that is not signed by origin. Also, allow the browser to display a prompt with more information, like "Foo Bar LLC is requesting access to your USB device".

Examples

Mock example:

webusb_js = WebUSB.requestDevice("https://www.samesite.com/webust_app.js.ssl")
webusb_js.run()

Privacy & Security Considerations

travisleithead commented 4 years ago

Wondering if this would be better filed/tracked under the existing WebUSB incubation's issue tracker? https://github.com/WICG/webusb/issues

reillyeon commented 4 years ago

Before considering whether we should require code signing for APIs like WebUSB we should explore how a code signing mechanism could work on the web in general. This shouldn't be a one-off proposal for a single API.

reillyeon commented 4 years ago

This was brought up as a separate issue on WICG/webusb#191 where I suggested stricter CSP rather than code signing, as it provides similar benefits. I think the work @mikewest has done on "securer contexts" is where we should focus effort here first.

marcoscaceres commented 8 months ago

As this was already raised and closed in WebUSB, @anga should this be closed?

Or do you want to open a new proposal based specifically around code signing?