navigator.getGamepads fails to find connected gamepad

lachlansleight commented 3 years ago

Description

The Gamepad API is for detecting connected video game controllers like joysticks, Xbox/Playstation controllers, etc. The way it's meant to work in chrome is you call navigator.getGamepads(), and an array of connected gamepads is returned. Note that the intended behaviour is that no gamepads are returned until they've received at least one input event since the page was loaded.

Steps to Reproduce

Create the following javascript code, set to run once the page has finished loading:

let interval;
if (!('ongamepadconnected' in window)) {
    // No gamepad events available, poll instead.
    // In firefox, you can call window.addEventListener('gamepadconnected') to achieve similar results
    interval = setInterval(pollGamepads, 500);
}

function pollGamepads() {
    const gamepads = navigator.getGamepads ? navigator.getGamepads() : (navigator.webkitGetGamepads ? navigator.webkitGetGamepads : []);
    let success = false;
    for (let i = 0; i < gamepads.length; i++) {
        const gp = gamepads[i];
        if (gp) {
            success = true;
            console.log("Gamepad connected at index " + gp.index + ": " + gp.id +
                ". It has " + gp.buttons.length + " buttons and " + gp.axes.length + " axes.");
            clearInterval(interval);
        }
    }
    if(!success) console.log("No gamepads connected");
}

Expected result:

Console output should look like this

Console output should look something like this (confirmed working in Chrome 85.0.4183.102):

No gamepads connected
No gamepads connected
No gamepads connected
No gamepads connected
No gamepads connected

Until a button is pushed or axis is changed on a connected joystick, at which point the following output is generated:

Gamepad connected at index 0: Xbox 360 Controller (XInput STANDARD GAMEPAD). It has 17 buttons and 4 axes.

Actual result:

Console output just continues to stay as No gamepads connected, indicating that navigator.getGampepads is not finding the connected gamepad

Reproduces how often:

Easily reproduced

Brave version (brave://version info)

Brave	1.14.81 Chromium: 85.0.4183.102 (Official Build) (64-bit)
Revision	ffe848af6a5df4fa127e2929331116b7f9f1cb30-refs/branch-heads/4183@{#1770}
OS	Windows 10 OS Version 1903 (Build 18362.1082)
JavaScript	V8 8.5.210.20
Flash	(Disabled)
User Agent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
Command Line	"C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe" --enable-dom-distiller --disable-domain-reliability --no-pings --extension-content-verification=enforce_strict --extensions-install-verification=enforce --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --sync-url=https://sync-v2.brave.com/v2 --enable-features=AutoupgradeMixedContent,PassiveMixedContentWarning,WinrtGeolocationImplementation,MixedContentSiteSetting,WebUIDarkMode,OmniboxContextMenuShowFullUrls,DnsOverHttps,PrefetchPrivacyChanges,PasswordImport,ReducedReferrerGranularity --disable-features=AutofillEnableAccountWalletStorage,AllowPopupsDuringPageUnload,NotificationTriggers,PrivacySettingsRedesign,VideoPlaybackQuality,SmsReceiver,TabHoverCards,PasswordCheck,AutofillServerCommunication,TextFragmentAnchor,SafeBrowsingEnhancedProtection --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox --lso-url=https://no-thanks.invalid --enable-features=ReducedReferrerGranularity,PasswordImport,PrefetchPrivacyChanges,LegacyTLSEnforced,DnsOverHttps,OmniboxContextMenuShowFullUrls,MixedContentSiteSetting,AutoupgradeMixedContent,WinrtGeolocationImplementation,PassiveMixedContentWarning,WebUIDarkMode --disable-features=SafeBrowsingEnhancedProtection,TextFragmentAnchor,AutofillServerCommunication,PasswordCheck,TabHoverCards,SmsReceiver,VideoPlaybackQuality,PrivacySettingsRedesign,NotificationTriggers,AllowPopupsDuringPageUnload,AutofillEnableAccountWalletStorage --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox -- https://discord.gg/ydkKARm
Executable Path	C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe
Profile Path	C:\Users\Lachlan\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default
Variations	5e3a236d-4113a79e

Version/Channel Information:

Can you reproduce this issue with the current release?
- Yes
Can you reproduce this issue with the beta channel?
- Not sure
Can you reproduce this issue with the nightly channel?
- Not sure

Other Additional Information:

Does the issue resolve itself when disabling Brave Shields?
- No
Does the issue resolve itself when disabling Brave Rewards?
- No
Is the issue reproducible on the latest version of Chrome?
- No

Miscellaneous Information:

bsclifton commented 3 years ago

This might be intentional - I think we're disabling certain APIs by default cc: @pes10k

pes10k commented 3 years ago

This is a side effect of us disabling WebUSB, since it (with the gamepad API) allows sites to fingerprint you based on your attached hardware.

@bsclifton we could consider moving these features behind shield instead of outright disabling though. That would be useful for folks ok with dropping shields to accomplish some non-common task on a page (gamepad use, for example) though would make things more difficult implementation wise. What do ya think?

bsclifton commented 3 years ago

@pes10k that would be nice - but like you're saying, it would make implementation more difficult

How is WebUSB being disabled now? I didn't see it in app/brave_main_delegate.cc

pes10k commented 3 years ago

Actually, surprise(!), It looks like its no longer disabled in Brave. This was a surprise to me. I'm no longer sure why we're behaving different than Chromium here. Maybe it'd be best to ask other brave core folks and circle back then?

rebron commented 3 years ago

@lachlansleight per the last comment it looks like navigator.usb is not disabled. Can you retest with our latest as well Brave 1.16.68

lachlansleight commented 3 years ago

Yeah it totally works now, interesting! I wonder what changed...

pes10k commented 3 years ago

Terrific! Thanks for letting us know @lachlansleight !

kungfooman commented 1 year ago

So users can be tracked based on USB devices now?

pes10k commented 1 year ago

@kungfooman , no, that is not correct. Web sites cannot access or learn about your USB devices unless you grant the site permission. That permission has the same lifetime as other forms of first party storage sites already have access to (localStorage, first party cookies, etc), and access to USB devices is cleared at the same time you clear other types of storage.

One thing we might consider doing is removing or randomizing the serial number from USB devices you've given a page access to. That'd invite some webcompat risk, but is probably doable. Its just npt a very high priority (given the other privacy risks we're trying to address) at the moment since sites cant use that serial number to identify you until after you've given the site permission to access your USB device (and the number of sites that try to access a USB device is extremely small, and the number of sites users will grant USB access on is smaller still).

That said, itd be a good thing to do when time permits, and I'll create an issue to track it

pes10k commented 1 year ago

https://github.com/brave/brave-browser/issues/28146

brave / brave-browser