Yes, you can fingerprint the existence of the API itself, but that applies to all APIs. Also the APIs that Safari does support. API support is not a way to fingerprint users. At most you can fingerprint browser version. But... you already have the user agent string for that.

Mozilla has elaborated a bit on this in their stance on Web USB: mozilla.github.io/standards-… They also have comments on Web Bluetooth there, but no comments in regards to any fingerprinting vulnerability: mozilla.github.io/standards-… /cc @firt

Yeah. The arguments seems to be that if the user is tricked into connecting to a device, the data from that device can be used for fingerprinting... Which in itself might be true. But that is setting the bar pretty high.

When you trick the user, you can also get their geolocation. Or access the files on their file system. Analyse the footage of their webcam. Or background audio.

Combined with the part of Mozilla's argument where they say that USB and Bluetooth in themselves were never really designed to act in a "secure" way in a scenario like this, one can imagine scenarios where innocent looking USB-devices could have a hidden identity purposes?

With that in mind you should disable Apple Pay also because businesses can scam you, which is something that happens every minute over credit cards and payment systems . It's a weird argument.

I guess eg @davidbaron and @annevk would be better at explaining the stance than me trying to interpret any deeper meaning into the Mozilla position. I find the position interesting and I can see the point of view, though I'm ultimately undecided myself, would have to dig deeper

At the end I think this is a matter of user choice. I agree a browser can warn the user and let her disable features. But deciding for the user with no other option ends in a dictatorship. That's not applying to Mozilla or even WebKit by itself. It applies to iOS and iPadOS

So when the browser warns the user, what do we say to a user who doesn't know what USB is beyond "a cable"? Is it OK for a webpage to send firmware updates or security exploits to a USB device that change what type of device it is (say, from storage to keyboard) or brick it?

In fact, let's disable input type=file as users can actually upload local files that can lead to security and privacy issues for them that you might not be aware of (passwords, usernames, geotags in jpegs, etc)