Chrome's taking steps to ensure your gaming habit doesn't make you a target for data miners

It's the latest browser to restrict the Gamepad API

Who hasn't played a game in their web browser? While you easily have a lot of fun clicking and tapping away, modern web browsers also offer a Gamepad API to support physical controllers connected to your device — and there are a lot of great gamepad options out there. Unfortunately, actors with malicious intent could potentially use your pad's data to track you online. As a result, many browsers have restricted the API to protect their users, and now Google is doing the same.

The Gamepad API works relatively simply across all browsers, allowing them to request information from a connected gamepad about things like the state of buttons and directional input (joysticks, d-pads). But that data can also include unique enough information that it's possible (under certain conditions) for an interested party to use it to track someone across multiple sites, a process called digital fingerprinting. In order to prevent this sort of thing, Google announced on Wednesday some changes it's making to how Chrome handles game controllers, per XDA Developers.

First off, the API will be restricted to secure HTTPS sites, while HTTP support will be removed. However, Google recognizes that developers may want to test their games on a local page or server without an SSL certificate, so it’s adding a flag at chrome://flags/#restrict-gamepad-access if someone needs to manually revert the change.

The second step Google’s taking will cause the API to behave differently when working with embeds, but we're not clear yet exactly how it intends this to work. Its efforts here seem similar to steps Mozilla took with Firefox 81 way back in September 2020.

Reports of data breachs of all sorts against large organizations have been on the uptick recently — Google recorded the most zero-day exploits ever last year. But fortunately, we haven't really heard of any significant instances of sites using the Gamepad API to track users — these steps Google's taking with Chrome are more proactive than reactive, which is exactly what we want to see from our browser's security.