Chrome will lock down Gamepad API because it can be used for tracking
Most web browsers have offered a Gamepad API for several years, which allows web apps and games to access physical game controllers. However, the API can be used to track people across the web in addition to its intended use, which is why Firefox and some other browsers have restricted its use. Google is now following suit, with a few changes on the way for how Chrome handles game controllers.
The Gamepad API first arrived with the release of Chrome 21, all the way back in 2012, and other browsers like Firefox implemented it later. Apple added it to Safari 10.1 in 2017, which is how game streaming platforms like GeForce Now and Google Stadia can support iPhones and iPads without an App Store application. The Gamepad API provides an ID for whatever gamepad is currently connected, along with a list of supported buttons and axes — when this data is recorded and compared with other collected data, it could be used to track someone across different sites. This practice is called fingerprinting.
Google has two plans to crack down on fingerprinting with the Gamepad API. First, the API will no longer work unless the current site supports HTTPS, which matches what Firefox has done since 2020. Google will also add a permanent #restrict-gamepad-access flag in chrome://flags to revert the change, mainly for developers who want to test their games on a local page or server without setting up an SSL certificate. Second, the API will behave differently in embedded frames, though the exact implementation there hasn’t been worked out yet.
There seemingly haven’t been any significant cases of sites or tracking scripts using the Gamepad API for fingerprinting, since it requires a controller to be connected to return any data at all — significantly limiting the scope of collected data. Still, web browsers should be as secure as possible, and limiting data collection through the Gamepad API is another step in that direction.
Google hasn’t decided yet when the updated Gamepad API behavior will roll out to everyone in Chrome.
Source: Google Groups