Despite the controversial nature of WebUSB, a loophole has been found that allows web pages to access USB devices without it, avoiding political disputes. By tricking a Raspberry Pi Pico to impersonate a U2F dongle, arbitrary data can be smuggled in, exploiting the device’s key handle functionality. Chrome attempts to check the validity of ECDSA signatures, while Firefox does not, allowing for the insertion of dummy data. This method, supported by all major browsers, bypasses security checks and promotes user safety. Although not a security vulnerability, caution should be taken regarding USB devices due to their inherent questionable security on most platforms.
https://github.com/ArcaneNibble/i-cant-believe-its-not-webusb