Two Google developers recently published a draft version of the WebUSB API that provides Web pages direct access to USB devices. The goal of the API is to provide a safe, standard method to expose USB-connected devices to Web services. While the API certainly applies to standard, legacy USB-connected devices (e.g. keyboards, mice, AV equipment, etc.), the API could have a major impact on the development of the Internet of Things (IoT) movement.
A common inhibitor to IoT acceleration is waiting for a hardware manufacturer to develop a custom API for an individual piece of hardware. While this API might seem like a universal solution to this problem, the WebUSB API does not grant immediate Web access to any piece of hardware with a USB port. Rather, the API serves as a standard technology that Web developers can adopt within products and hardware manufacturers can build devices with Web capabilities out of the box.
The foremost concern with anything that touches IoT is security. Red flags immediately go up when one learns that USB becomes the connector between a device and the Web. After all, USB devices and computers automatically trust each other, without required authentication steps. Grant and Rockot address the security concerns with a CORS-like security system. The WebUSB security protocol treats each USB devices as a separate source, similar to the way CORS treats Web domains separately. In turn, developers must specifically call out what device receives access, and then prompt users for authorization on a per site basis.
The WebUSB API is backward compatible to allow for USB-enabled devices manufactured before the API release to operate without custom firmware. The API is available at the WICG website. It remains unofficial for the time being. Developers and manufacturers who wish to participate in its development should visit the GitHub site.