Require device identifiers to be origin unique

[cynthia]

Many hardware integration related specs expose device identifiers (quite a lot of times raw) to the web. This is fine for a native API, but not for the web. Device identifiers should be only unique to a specific origin in a way that does not easily allow reversing of said origin-unique identifier. (e.g. hash?)

Related discussion here: https://github.com/WICG/webhid/issues/7

[annevk]

See also https://github.com/w3ctag/security-questionnaire/issues/80.

And your approach only works if they are only exposed to "first parties" as otherwise it would be a way to circumvent https://privacycg.github.io/storage-partitioning/.