Security considerations should mention access to keyboards, FIDO devices, etc.

[jyasskin]

There's a risk that a user would be tricked into granting access to their keyboard or FIDO device, leading to the website being able to read passwords and generate security assertions. I think that other aspects of operating systems prevent this, but the spec ought to say that.

[larsgk]

How do you get access to devices not containing the WebUSB BOS and Interface parts? Also, the user chooses from a list not accessible to the script, afaik.

[reillyeon]

@larsgk WebUSB descriptors are not required. Socially engineering the user into selecting a sensitive device is a concern. Recommendations for filtering out particular devices and the OS mechanisms that naturally prevent access to them are relevant topics for the spec.