- From: roderickc <notifications@github.com>
- Date: Mon, 03 Aug 2020 11:55:54 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 3 August 2020 18:56:07 UTC
@cynthia @nondebug I just became aware about the WebHID spec and am a bit worried about the security aspects. At Sony our gamepads (DualShock 3, 4 and next-gen controller) are all HID. The devices are quite complicated and a lot happens over HID and not just input. From the security side you can issue a feature report to get the MAC address, firmware version and some more, so finger printing is an issue. What for me is even scarier than finger printing is that you can issue feature reports to perform firmware updates. A naughty website could brick controllers. As I mentioned our devices are complicated as even audio data and microphone data all works over HID. That stuff has to be handled using proper device drivers, but anyone using raw HID with our controllers (even when not using audio) e.g. for rumble or lights would cause interference. Similar using HID we can change our power settings and other settings. A platform driver (e.g. on Linux hid-sony) manages such settings. User mode drivers and kernel drivers managing a device is asking for trouble. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/370#issuecomment-668186899
Received on Monday, 3 August 2020 18:56:07 UTC