I'd like to see the threat model for Mozilla's security stance on WebUSB because afaik they haven't published it, because I am having a hard time coming up with one. I guess once you link USB capabilities and assume RCE one could e.g. write a keylogger? I guess? But that needs RCE, and at that point... you can find their reasoning here: https://mozilla.github.io/standards-positions/#webusb and the associated issue: https://github.com/mozilla/standards-positions/issues/100 copy & paste from the first link: > Because many USB devices are not designed to handle potentially-malicious interactions over the USB protocols and because those devices can have significant effects on the computer they're connected to, we believe that the security risks of exposing USB devices to the Web are too broad to risk exposing users to them or to explain properly to end users to obtain meaningful informed consent. It also poses risks that sites could use USB device identity or data stored on USB devices as tracking identifiers. in short: the average user of a browser is dumb and will click "approve" if the website tells them to do it. (yes, that's the same users who will vehemently deny ever doing so but were also the ones with 1000 toolbars in their Internet Explorer 6 - and damn, now i feel old if i can dig out IE6 references 🤣)