[web-bluetooth] Using Bluetooth from WebExtension (#612)

eqvinox has just created a new issue for https://github.com/WebBluetoothCG/web-bluetooth:

== Using Bluetooth from WebExtension ==
Are there any plans to make WebBluetooth usable from a browser add-on? (I'm not enough of a web developer to know if this is "automatic" or needs additional specification work…)

Speaking as someone currently building a BLE device, I have to agree with Mozilla's position that WebBluetooth is too much of a security and privacy risk to roll out. In particular, I don't have enough hubris to believe my webpage won't ever have XSS issues (thus yielding BT control over my device to malicious 3rd parties), and neither do I really want a low barrier to other websites talking to my devices.

From a user perspective, much of the same applies, I wouldn't ever feel comfortable granting BT permissions to *any* website. I also believe this pattern to be harmful to less technically inclined people — granting permissions to a website is a much lower psychological bar of trust than installing an application. I've seen "number of clicks" argued in other issues. 2 clicks in a browser are not the same as 2 clicks in an app store (or even the browser's extension manager.)

As such, I'd rather create a browser extension to support my devices; the extension can then control and expose a limited interface to some websites. This also has the advantage of having a review and update process, and allows (if properly designed) moving blocklist from browser updates to the extension "store". It's quite simply a useful additional layer of security (and privacy.)

Any comments? Was this previously discussed anywhere? (Didn't find anything…)

Please view or discuss this issue at https://github.com/WebBluetoothCG/web-bluetooth/issues/612 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 18 September 2023 11:57:54 UTC