> For raw device access as envisioned in a number of APIs (Web USB, Web Bluetooth, Web NFC, and Web MIDI), the risks of exposing those APIs to users cannot be reasonably conveyed. This is pretty much an intractable flaw of allowing raw, non-semantic access to devices regardless of the protocol used to do so.
> The specific issue is: it's not intuitive that allowing malicious-site.com to access your Bluetooth keyboard might give that site access to your stored passwords, give them the ability to hijack your DNS settings, or allow them to encrypt your hard drive and hold it ransom. And if it's not immediately obvious how those things are possible, that only serves to demonstrate how completely non-intuitive the risks are and how intractable trying to explain them in a permission prompt would be.
https://github.com/mozilla/standards-positions/issues/95#iss...
Recently I've changed my mind. I've been building a thing using everything in the web platform, even if it is Chrome only and it is great. You can build apps the blend local and remote systems together in ways that make new things possible - and it is on an open-standard runtime.
But as a long time Firefox user I hate that I have to warn people at some critical features won't work.
I think from a platform point of view having features in the web platform that let it compete with other platforms is worth the trade off.
I'm saying I think it is important for free and open systems to be competitive with closed ecosystems, and to take advantage of the power of local systems.
I believe in a world where we - as developers - can build systems that have both maximum safety and maximum utility for users.
Currently there are two ways of distributing software that takes full advantage of the hardware users have:
1. AppStores, with centralized, permission based certification of developers in an attempt to make apps safe.
2. Binary downloads, relying on the operating system to make them safe for users.
I believe there should be a third way - a platform that sandboxes users from the worse things that are possible and breaks reliance on cloud platforms.
I think the web platform is the closest to achieving this. I think the security and privacy concerns are valid and well-founded, but I think the trade-offs in pushing permission-based systems are worthwhile.
Take this project as an example. The alternative to web-serial is to download a random executable binary and firmware written by who knows to your computer, with full read/write permissions. I think that is a riskier outcome for users than enabling this API.
It would not be quite as seamless as having serial support included out of the box in the browser, but couldn't you get most of the way there by writing a native application that provides provides a network interface to the serial ports and then a JavaScript library for use in the browser than talks to that application over the network (maybe even making the JavaScript library API match the Web Serial API so code written for Chromium's actual Web Serial requires little of no porting)?
The native apps for Linux, Windows, and MacOS would be pretty simple, and would be independent of browser vendor or version.
This might even allow some flexibility that serial implemented in the browser doesn't have, such as allowing control of serial ports on a different host.
I'd have expected that when people saw that Web Serial in Chromium opened up some great possibilities for things like browser based Arduino development but other browser makers were not on board someone would had thoughts similar to what I've described.
Does this exist and I just missed it? Is there some major difficulty I've overlooked?
1. I go to your site 2. I download your service for my platform (that now has to be developed and shipped for N platforms your site wants to support 3. I install said service and make sure it's running 4. I go back to site and it's connected (or it's not and now you have to support a whole host of troubleshooting docs based on platform.
Web serial version that's now in Firefox and has been in chromium: 1. I go to your site. It works
What you described is something that has been done for awhile. Most recent thing I've used I can think of is Lenovos Driver install utility (you install their connector app, go to their support page, it connects to your app and then shows what drivers you need)
*Unless you're thinking of something I'm not, the API couldn't exactly match the Web Serial API because of same-origin policy, and if you made an exception to that policy to make the polyfill work, you'd punch a giant security hole in the browser.
We recently restarted our middle school robotics club. The school had a lot of old Vex EDR equipment for which the coding software is windows only so that really limited what we could do related to coding. Glad to see Firefox getting up to speed on this.
And maybe we'll get web bluetooth too.
Plug in to USB, fire up the web app, and then press a button in NY to light up LEDs in SF – it was exciting stuff!
I never tried actually programming the boards over WebSerial; that obviously opens up many more use cases. I’m thinking about the success that p5.js has had in the creative coding community, largely driven (I think) by a low barrier to entry since it just requires a web browser to get started.
I've always agreed with the reservations about browsers being able to control peripherals. I'd rather download a python script i can inspect.
https://hacks.mozilla.org/2026/05/web-serial-support-in-fire...
Hopefully they will move to a better solution that offers some integrity guarantees instead, like https://rwc26.waict.dev/ that they have an early implementation of in nightly builds.
Sure, the standard is cool, have used it to flash Meshtastic to some LoRa boards, before advancing to use VS Code + ESP-IDF to flash in my own LoRa code.
> What makes it aggressive?
The parent comment already contained the answer to your question (the multiple links are what makes it aggressive, in GP's opinion). Your comment might have been seen as more constructive if it engaged with that directly.
Unfortunately Firefox doesn't support the FileSystem API so to do this you need to resort to uploading the entire source code directory each time you change a source file.
I understand Firefox's privacy and security first thinking on this, but I think it is misguided. It's led to the webplatform being eclipsed by other, propriety options, or people forced to ship "Chrome-based only" features.
Right, it's so much less onerous to have people download and set up an entirely separate fickle toolchain—and needing to trust that the install triggers in the package.json of some transitive dependency won't exfiltrate your personal data or install some nefarious ineradicable background service onto your system, versus the two extra clicks you'd have to subject yourself to if you wanted to re-run the build.*
Wait, no.
> people [are] forced to ship "Chrome-based only" features
No they're not. By your own admission they could make their build scripts work with the standardized HTML5 APIs that are well-supported in all major browsers. They choose not to.
And you're not really responding to the substance, anyway—which is that JS programmers (frequently writing for browser runtimes, even) require that you install NodeJS, Bun, or Deno (because they hardcode the build scripts internals against one of those runtime's APIs). If programmers really were writing build scripts that you could run in Chrome but unfortunately not Firefox, then even that would be an improvement over the status quo. But that's not what we're talking about, because that's not happening.
* most of which are destined to be one-shot executions, anyway
> And you're not really responding to the substance of the comment anyway, which is that JS programmers—frequently writing for browser runtimes, even—are demanding that you install NodeJS, Bun, or Deno (because they hardcode the build scripts against those runtimes' APIs).
Do you mean things like the Typescript + Webpack/whatever toolchain? Because broadly speaking that seems orthogonal to the target browser.
Using tools outside the browser to build something for the browser is mostly an optimization, for both the developer and the end user.
If someone has a web app with maybe 100 NPM packages, doing things like tree-shaking offline before shipping to a browser is important.
> And you're not really responding to the substance of the comment anyway, which is that JS programmers—frequently writing for browser runtimes, even—are demanding that you install NodeJS, Bun, or Deno (because they hardcode the build scripts against those runtimes' APIs).
If they are targeting Web APIs and using runtimes to build for those APIs what is the problem?
There are plenty of tools that need version X.XX+ of GCC to build and won't build using MSVC or something. It's a bit annoying but hardly outrageous.
