LGTM as an IWA OWNER (3x LGTM from Blink API OWNERS are still required according to the IWA-specific API launch process <https://www.chromium.org/blink/launching-features/isolated-web-apps/>).
Similar to Unrestricted WebUSB, this API is granting access to devices which we've made an explicit decision not to give to normal web sites. The additional integrity provided by IWAs allows us to make a meaningful decision that if access is granted to an app then the app's behavior is well-known and cannot be compromised by common attack vectors. This API exists to support specific, mainly enterprise-focused, use cases. On the broader web device-based authentication solutions such as WebAuthn are more appropriate. Reilly Grant | Software Engineer | [email protected] | Google Chrome <https://www.google.com/chrome> On Thu, Oct 2, 2025 at 6:39 AM Luke Klimek <[email protected]> wrote: > Contact emails > > [email protected], [email protected] > > Explainer > > https://github.com/WICG/web-smart-card/blob/main/README.md > > Specification > > https://wicg.github.io/web-smart-card > > Summary > > Enables smart card (PC/SC) applications to move to the Web platform. It > gives them access to the PC/SC implementation (and card reader drivers) > available in the host OS. > > > Administrators can control the availability of this API either: > > > - Globally—using the DefaultSmartCardConnectSetting policy. > - Per-application—using the SmartCardConnectAllowedForUrls and > SmartCardConnectBlockedForUrls policies. > > > Blink component > > Blink>SmartCard > <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESmartCard%22> > > Web Feature ID > > None > > TAG review > > This is an IWA-only API, and TAG has made it clear recently that they > don't want to review IWA-related stuff. Relevant statement: > https://github.com/w3ctag/design-reviews/issues/842#issuecomment-2917031448 > > TAG review status > > Not applicable > > Risks > > > Interoperability and Compatibility > > Other browsers may choose to implement this API, that is however dependent > on adoption of the Isolated Web Apps as a whole. > > Gecko: No signal > > WebKit: No signal > > Web developers: Positive (https://github.com/WICG/web-smart-card/issues/43 > ) > > Other signals: > > Security > > > https://github.com/WICG/web-smart-card?tab=readme-ov-file#security-and-privacy-considerations > > > https://wicg.github.io/web-smart-card/#security-privacy > > This is a highly security-sensitive API. This is why it is currently being > guarded behind: > > 1. > > Isolated Web App installation (and also declaration of the > `smart-card` permission policy in the manifest > 2. > > Fine-grained user-facing permission mechanism that gives the end user > control over the most privacy-sensitive moments (connection to a smart card > reader). > > For more context on the permissions design and how it interacts with > Chrome UI and enterprise policy see go/web-smart-card-api-permissions > <http://goto.google.com/web-smart-card-api-permissions> (sorry, > Googlers-only). > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > None. > > > Debuggability > > The code using this API can be debugged using the standard tools. > Potential future improvement would be a new CDP domain to allow mocking > system PC/SC to not rely on actual hardware. > > More design explorations at go/web-smart-card-api-cdp > <http://goto.google.com/web-smart-card-api-cdp>, sorry, Googlers-only. > Complexity of this endeavour however makes us defer this at least until > cross-platform launch. This is a part of a broader effort to add WPTs to > this feature: https://crbug.com/40275258 > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)? > > No. Underlying implementation highly depends on the system native PC/SC > stack. ChromeOS is the first platform implemented. Also, IWAs themselves > are not currently launched anywhere else. > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? > > No. WPT does not support IWA test environments. Once that support is > available, we can investigate adding IWA-focused WPT tests. Also, > implementation also is highly complex, as the API depends on communication > with the native system PC/SC and actual hardware. Future WPT > implementation, tentatively planned for the cross-platform launch is > tracked here: https://crbug.com/40275258 > > DevTrial instructions > > https://github.com/WICG/web-smart-card/blob/main/HOWTO.md > > Flag name on about://flags > > enable-smart-card-web-api > > Finch feature name > > SmartCard > > Rollout plan > > Will ship enabled for all users > > Requires code in //chrome? > > True > > Tracking bug > > https://bugs.chromium.org/p/chromium/issues/detail?id=1386175 > > Launch bug > > https://launch.corp.google.com/launch/4234437 > > Measurement > > UseCounters: > > > 1. SmartCardEstablishContext: Entry point to the API overall. > 2. SmartCardConnect: Entry point to actually using API for > communication with smart card readers. > > > Availability expectation > > API is available only in Chromium browsers for the foreseeable future—no > other browser engine has yet displayed interest in implementing Isolated > Web Apps, which are a prerequisite to this API. Initially API will be > available on ChromeOS only, with intent to implement it elsewhere later (as > Isolated Web Apps are launched on other platforms). > > Adoption expectation > > Expected to be used initially by a small number of developers inside > Isolated Web Apps. > > Adoption plan > > Working directly with developers that are planning to rely on the API. > > Non-OSS dependencies > > Does the feature depend on any code or APIs outside the Chromium open > source repository and its open-source dependencies to function? > > Yes. This API depends on the system-specific PC/SC implementation, as it > is essentially a proxy to it. For the initial launch on ChromeOS, this > extension is the sample provider that should be installed in Chrome for the > API to function: > https://github.com/GoogleChromeLabs/chromeos_smart_card_connector On the > other platforms, we will probably add new dependencies (PCSC on Windows and > PC/SC lite elsewhere) to the Chromium project itself. > > Sample links > > https://github.com/GoogleChromeLabs/web-smartcard-demo > > Estimated milestones > > Shipping on desktop > > 143 > > DevTrial on desktop > > 141 > > > Anticipated spec changes > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > > None. > > Link to entry on the Chrome Platform Status > > https://chromestatus.com/feature/6411735804674048?gate=4552874575527936 > > Links to previous Intent discussions > > Intent to Prototype: > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BenBd9j9Ucy-BKqfQSk9hZxVG6-qm4H6X3%3DxT9U86KpiOpKeA%40mail.gmail.com > > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANLtwd0PyL0BsedCr%3Do3%2BXoTRHFRi5O9t9wygwDe_7vf9OhKNQ%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANLtwd0PyL0BsedCr%3Do3%2BXoTRHFRi5O9t9wygwDe_7vf9OhKNQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEmk%3DMYw5FRPtadK341gEw8LZ7vvZCfqPupDhqxbnnwhG2Ev9g%40mail.gmail.com.
