Open jyasskin opened 7 years ago
How do you get access to devices not containing the WebUSB BOS and Interface parts? Also, the user chooses from a list not accessible to the script, afaik.
@larsgk WebUSB descriptors are not required. Socially engineering the user into selecting a sensitive device is a concern. Recommendations for filtering out particular devices and the OS mechanisms that naturally prevent access to them are relevant topics for the spec.
There's a risk that a user would be tricked into granting access to their keyboard or FIDO device, leading to the website being able to read passwords and generate security assertions. I think that other aspects of operating systems prevent this, but the spec ought to say that.