NEWS

For your safety, Google will restrict chrome-connected gamepads

For your safety, Google will restrict chrome-connected gamepads

 

Since 2012, Google Chrome has offered a Gamepad API that, as the name suggests, allows web applications and games to access physical gamepads connected to a computer. Unfortunately, it seems that malicious people can use it to track users online and siphon off their data. The Mountain View giant has announced new restrictions to protect its users.


Similar measures had been taken by Mozilla with Firefox 81, a version released in September 2020. The API also exists on Safari, which allows everyone to use their iPhone or iPad with services like GeForce Now or Google Stadia without an App Store app.

More security by default on Chrome

The operation of the Gamepad API is relatively simple on all browsers. It consists of giving a unique identifier for each gamepad plugged into his computer. Thus, Chrome receives a list of information from buttons and axes (joysticks, directional cross). All this data can be collected (under certain conditions), and this is what worries Google. With access to these, a malicious individual would be able to track someone via their digital fingerprinting.

The measures announced by Google are very similar to what Mozilla communicated for its Firefox browser almost two years ago. First, the API will not work on sites that are not in HTTPS, that is, a combination of HTTP with an encryption layer like SSL or TLS. We remind you that it is also recommended to check a browser option to always upgrade HTTPS navigation. It can be found in Privacy & Security > Security > Advanced Settings.

The second line of thought for Chrome is a different behavior of the API in some integrations (embed). It's not yet known how this will work, but it could be a request for permission from the user to trigger the API and support for their controller.


A stitch in time saves nine?

Such a restrictive measure could harm app and video game developers who need to exploit the controller for their operation. To avoid impacting them and allowing them to access a debugging environment, Chrome will introduce an advanced setting (flag). The latter will be accessible under the name of #restrict-gamepad-access. Everyone will be able to freely take advantage of the controllers and test games on a page or a local server (localhost) without setting up an SSL certificate.

It's amazing to see Chrome implement such a security measure long after Mozilla Firefox. Fortunately, there doesn't seem to have been any "significant" cases of tracking sites or scripts using the Gamepad API to track a user. Google's web browser has already had to urgently fix three major flaws in 2022.

For now, Google has not yet decided when the Gamepad API behavior update will be rolled out to everyone in Chrome.

Comments
No comments
Post a Comment



    Reading Mode :
    Font Size
    +
    16
    -
    lines height
    +
    2
    -