If you’ve ever played a game through the web, you’ll have a need for something called the “Gamepad API”. This Chrome feature allows the physical controller to connect to the browser and send your inputs to the cloud game or server where the content is being run. Unfortunately, this API has become a target for data miners, and by extension of their malicious profession, you and your personal information!
The vulnerability was first discovered and reported by a Chrome and Chromium developer at Google via Google Groups, and later reported on by XDA Developers. The Gamepad API was first introduced into Chrome in 2012, and over subsequent years, Firefox and Safari.
In order to prevent users from falling victim to these bad actors getting a hold of your “digital fingerprint”, Google has decided to restrict access to the API altogether unless the website has an SSL certificate in place – that is if the website is using an “HTTPS” layer. Additionally, it will add a Chrome developer flag called “#restrict-gamepad-access”, for developers who want to test their controllers before they get SSL Set up on their end.
Lastly, embedded frames will treat gamepad access differently, but at this time, we don’t have details on exactly how that will work. It’s worth noting that Firefox implemented many of these changes way back in 2020, so why Chrome has yet to kind of baffles me.
The Gamepad API has been around for awhile and is widely used. However, recent pushes for privacy have brought the possibility for this API to be used for finger printing to our attention. These changes mitigate the finger printing risk.Chrome Platform Status
So far, it seems that Google has yet to really see any attempts at the Gamepad API being abused or users being at risk because of it, but locking it down is certainly a good precautionary measure, even if it is being done two years later than the competition. My hope is that they had a specific reason to leave it operable and accessible on non-HTTPS sites and while not in use, and that it’s tied to some other feature, but I doubt it.