why does webhid not expose the device BCD/Release number ?

[JunzheFan]

I can get the device's version via Webusb's versionMinor and versionMajor attribure, I am just wondering why webhid does not expose this so that we can get the release version of the device for use with firmware update checking or so, I am using Webhid api from Electron

[nondebug]

I think it would be reasonable to expose the device firmware version.

Device identifiers like bcdDevice are persistent identifers that can be used for active fingerprinting. When considering whether to add new observable characteristics to the API, we should evaluate the severity of the fingerprinting surface.

Entropy: bcdDevice can hold any 16-bit value so at worst it adds 16 bits of entropy per device. However, I expect most devices only receive a small number of firmware updates (<16), so exposing the firmware version likely only adds ~4 bits of entropy for most devices.

Detectability: WebHID API doesn't passively expose any device characteristics. The user agent can easily detect when a page is accessing device details.

Persistence: The firmware version for a device stays the same until the next time the device is updated. Users don't have control over the value except in choosing when to update.

Availability: Device information is only available if the user has already granted permission for the site to access the device. A separate permission must be granted for each device.

Scope: bcdDevice is a property of the connected device and will be consistent across all origins.

This functionality is necessary because applications want to provide firmware update functionality. Most USB devices assume the application can access the firmware version through bcdDevice and don't provide an alternate interface.

There isn't any way we can narrow the scope. Applications depend on comparing the exact value of bcdDevice with known values, and any 16-bit value can be a bcdDevice version.

I think the necessity of this information for the firmware update use case outweighs concerns about increased fingerprinting surface.

bcdDevice is specific to USB devices. If we add bcdDevice (or deviceVersionMinor/deviceVersionMajor like WebUSB) to HIDDevice then it should be optional since other transports do not have an equivalent.

[JunzheFan]

@nondebug hi sir, can I ask you a topic-unrelated question, I am somehow get confused by the permisson checking of webhid, how does webhid store the device permission so that it can remember when being re-plugged? I tested around for a while, and I assume the permission is stored somewhere inside Chromium, is it stored based on the serial number or vid + pid ?

[nondebug]

WebHID in Chromium has two types of device permissions: ephemeral and persistent.

Ephemeral permissions are automatically revoked when the device is disconnected or the browser is closed.

Persistent permissions are remembered when the browser is reopened or the system is rebooted.

Not all devices are eligible for persistent permissions. The problem is that some devices don't expose any persistent identifier the browser can use to re-identify the device. A device is eligible for persistent permissions if it's a USB HID device with a non-empty serial number string descriptor and non-empty product name descriptor. The browser stores the vendor ID, product ID, and serial number in the permission object and uses that information to re-identify the device.

[JunzheFan]

@nondebug one more question sir, do you think it's ok to expose the serial number ? it may seem rare, but if i happen to have two identical devices connected(i.e same vid, pid, usage structure) and the only difference would be the serial number, in this case it's not possible to tell which one is which by the current webhid implementation