Yes, indirectly. Information about which peripherals are connected to the host may be used to fingerprint the user. Some types of HID devices may also expose personally-identifiable information. This is mitigated by only exposing a device to script once the user has explicitly granted access for that device (for instance, by selecting it from a chooser).
Yes, indirectly. Keyboards and FIDO devices are often implemented as HID peripherals and may be used to enter credential information. To mitigiate the risk of exposing credential information to script, FIDO devices are excluded from the device chooser. Keyboards and pointer devices (mice, touchscreens, etc) may be included, but reports carrying keyboard and pointer information are not delivered to script and information about these reports is blocked.
3. Does this specification introduce new state for an origin that persists across browsing sessions?
No. The WebHID specification does not introduce new state, however a user agent may choose to persist device permissions across browsing sessions.
No
5. Does this specification expose any other data to an origin that it doesn’t currently have access to?
Yes, it exposes a list of devices for which the origin has already been granted access and allows data to be sent to and received from these devices. If no devices have been granted access for the origin then no additional data is exposed.
Device access is not exclusive, so if multiple origins have been granted access for the same device then it can potentially be used to communicate across origins.
No
No
Yes. Many types of sensors are implemented as HID peripherals.
9. Does this specification allow an origin access to aspects of a user’s local computing environment?
Yes. WebHID exposes a list of connected HID peripherals for which the current origin has been granted access. It also allows script to send and receive data from the peripheral which may expose additional information about the local computing environment.
Yes. WebHID allows an origin to access connected HID peripherals.
No
No
No
Device permissions granted in incognito mode must not persist beyond the incognito session.
No, although a user agent may choose to persist site permissions to remember devices that have already been granted access.
Yes
No
Access to the WebHID API is restricted to secure contexts. By default, no device information is exposed to script. A user must explicitly grant access for an origin to access a device by selecting the device from a chooser list. Information about other devices in the list is not exposed to script.