WebKit / standards-positions

WebKit's positions on emerging web specifications
https://webkit.org/standards-positions/
251 stars 21 forks source link

Web Serial API #199

Open nondebug opened 1 year ago

nondebug commented 1 year ago

WebKittens

@marcoscaceres

Title of the spec

Web Serial API

URL to the spec

https://wicg.github.io/serial/

URL to the spec's repository

https://github.com/wicg/serial/

Issue Tracker URL

https://github.com/WICG/serial/issues

Explainer URL

https://github.com/WICG/serial/blob/main/EXPLAINER.md

TAG Design Review URL

No response

Mozilla standards-positions issue URL

https://github.com/mozilla/standards-positions/issues/687

WebKit Bugzilla URL

No response

Radar URL

No response

Description

WebKit declined to implement several APIs, including Web Serial, due to concerns over fingerprinting:

https://webkit.org/tracking-prevention/

I'm re-requesting WebKit's position on this emerging web specification because of changes we are planning to make to support Bluetooth RFCOMM serial ports.

Chrome Platform Status: https://chromestatus.com/feature/5686596809523200 Explainer: https://github.com/WICG/serial/blob/main/EXPLAINER_BLUETOOTH.md

Even though Apple is not considering implementing this API, we are still interested in any feedback WebKit can provide on Web Serial and our proposal to support Bluetooth RFCOMM serial ports.

rniwa commented 1 year ago

I'm not sure why adding even more API to Web Serial API would somehow lessen our existing concerns.

nondebug commented 1 year ago

Thanks for taking a look. I don't expect this feature would change WebKit's position on the API but filing the standards-position request gives us a place to discuss any new concerns that may be associated with the feature. The Tracking Prevention article documents the position well but there's no place to leave comments.

othermaciej commented 1 year ago

Is this requesting review of the new additions to Web Serial (Bluetooth RFCOMM serial ports)? Or for the Web Serial baseline spec itself? I am asking because RFCOMM support doesn't appear to be in the linked Web Serial spec yet, but it's provided as the link for "URL to the spec".

nondebug commented 1 year ago

Here's the pull request for the Bluetooth RFCOMM spec changes: https://github.com/WICG/serial/pull/189

I would like WebKit to generate an official position on Web Serial API that we can link from Chrome Platform Status, TAG design reviews, etc. The Tracking Prevention in WebKit article describes the position but doesn't have a published-on date which makes it difficult to determine if it's still the official position. It also doesn't use the "support"/"neutral"/"oppose"/"not considering" categories adopted in this repo. I've been assuming the article implies "oppose" positions for the listed APIs but I would rather not have to assume.

According to the article, Web Serial API and other APIs are considered unsafe due to privacy and security risks. The Bluetooth RFCOMM feature doesn't address these risks so I expect there isn't much value in evaluating the feature separately from the rest of the spec. If you want, I can file a separate issue just for the Bluetooth RFCOMM feature.

The article considers fingerprinting risk to be blocking but only describes the concerns in unspecific terms. Web Serial API already includes some fingerprinting mitigations. If WebKit has the bandwidth to take another look, it would be helpful to re-open this discussion with a focus on where the existing mitigations fall short, and where the current design exposes users to privacy and security risks with no mitigations.