Security concerns

[marcoscaceres]

The document kinda outlines all the reasons why such an API wouldn't make sense on the web.

• Security Risks: Allowing web applications to scan the local network could expose the network and connected devices to potential security breaches. Malicious websites might exploit this feature to gather sensitive information about network devices, including printers, computers, and other connected devices. In particular, it would allow attacking printers themselves directly.
• Privacy Concerns: If a web API can scan for printers, it might also be able to access other information about the network, leading to privacy issues. Users' network configurations and device details could be inadvertently exposed.
• Network Performance: Continuous scanning of the network by multiple web applications could lead to network congestion, reducing the overall performance of the network.
• Potential for Misuse: Such an API might be misused for purposes other than intended, such as for creating botnets, launching denial-of-service attacks, or spreading malware within a network.
• User Consent and Control: Implementing such a feature raises questions about user consent and control. Users might not have clear information or control over which web applications are accessing their network printers and other devices.

I honestly don't see how this is an improvement on what we already have on the Web.

If there are issues with printing itself (or, in the case of #10), it would make more sense to just have a "print({as: 'pdf"})" or something (and even in the case, some OSs already just provide this, like macOS and iOS... so it's not even need it?).

However, exposing locally networked devices to web pages seems like a non-starter.

What's the problem with the current print dialogs and functionality provided by OSs? How would this be any sort of improvement, specially if every site started creating their own print dialog? What happens if the browser is closed while printing etc. How would it interface with existing printing dialogs? Won't it just replicate what basically every app already does? (i.e., just rely on the OS print UI... why roll your own?)

[reillyeon]

It seems like core to your concerns here is the idea that this API allows a site to scan the local network or send arbitrary network traffic. That isn't the intent at all. If there's a particular section of the explainer which gives this impression please let us know.

There are two UX options in https://github.com/WICG/web-printing#suggested-options, the first option would grant access to information about all configured printers, similar to how getUserMedia() grants access to information about all connected cameras, while the second option would require the user to choose which printer to grant access to, similar to how more modern APIs like Web Serial work. In neither case would the site be given the broad ability to scan the network for arbitrary devices. Access would be mediated by the underlying operating system's printing API, which provides information about printers the user has set up and nothing else.

The https://github.com/WICG/web-printing#main-motivating-use-case-remote-printing section explains the problem with the current print dialogs in the context of a particular category of web apps that do server-side generation of documents for printing.