Firefox has spent years telling the web to keep its grubby mitts off your hardware. Then Nightly went and shipped Web Serial anyway, because apparently every browser eventually becomes an OS with a shame problem.

And look, I get it. I really do. If you build tools for 3D printers, ESP32 boards, BBC micro:bits, Raspberry Pi Picos, or whatever other little blinking rectangle is currently ruining your weekend, the browser is a very convenient place to put the UI. No install friction. No native app hell. No “please download this unsigned thing from a forum post that looks like a phishing attempt.” Just click, connect, configure, move on with your life.

That convenience is exactly why this stuff keeps spreading.

Chrome shipped Web Serial back in 2021. Mozilla opposed it years ago, basically saying the obvious part out loud: user consent is not magic, and serial devices are often one bad page away from acting like they own the room. That was the sane position. Then the world got more obsessed with browser-based hardware control, and Mozilla slowly drifted from “absolutely not” to “fine, but gated and uncomfortable.” Now Firefox Nightly 151.0a1 has it, behind a flag, and the release notes casually say you can now manage microcontrollers and development boards from the browser.

That sentence should make everyone a little itchy.

The browser is not a browser anymore

This is the real story. Not Web Serial itself. The real story is that browsers have been steadily swallowing responsibilities that used to belong to native apps, drivers, device managers, installers, and all the other boring layers of software that existed for reasons. The web keeps winning because it is easier. And every time it wins, it inherits another chunk of the machine.

At some point we stopped asking whether the browser should do a thing and started asking whether the browser could be made annoying enough to do the thing safely-ish.

That is a hell of a design philosophy.

Web Serial is not some random toy API. It is a straight line from a web page to a physical device. That means the browser is no longer just rendering content or handling forms or serving as the world’s most overworked PDF viewer. It is now sitting in the middle of hardware workflows. It is a control plane. A permission broker. A device UI. A slightly damp bridge between your web app and things that can flash firmware, move motors, or brick themselves in spectacularly specific ways.

And yes, the hobbyist use cases are real. So are the industrial ones. So are the classroom ones. So is the part where a vendor’s web configurator is the only thing standing between you and a dead gadget.

That does not make it less cursed.

Mozilla’s old objection still hits because it was never really about the API. It was about the fantasy that a human clicking a dialog box is equivalent to understanding the risk.

It is not.

We have spent the last decade teaching users to click through permissions until the prompt stops feeling like a warning and starts feeling like housekeeping. Camera access, microphone access, clipboard access, notifications, file pickers, Bluetooth, USB, serial, and on and on. The browser keeps stacking new powers on top of the old ones, and every new prompt gets one more little piece of trust stripped out of it.

At this point the permission prompt is basically a ritual.

You click “Allow” because the page says it needs access to the thing you came for. The browser pretends this is a considered decision. The developer pretends the prompt is a meaningful moat. Everybody nods along while the actual system security model gets quietly eaten by product design.

This is not me being dramatic. This is just what happens when the web starts doing jobs that were previously handled by installed software with at least a thin layer of expected intent.

AI agents made this worse, obviously

The part that really grinds my teeth is the timing. We are in the middle of the “let the agent drive the machine” era, which is a lovely way of saying people are now handing browsers to software that blithely clicks things faster than a caffeinated intern with no self-preservation instinct.

That changes the calculus.

When a browser can talk to hardware, and an AI agent can steer the browser, and the page can request the permission, you have built a stack where the difference between “helpful automation” and “how did my printer get firmware from a weird web app” gets real fuzzy, real fast.

Mozilla even says the quiet part in its release notes: with people exposing their computers to AI agents and Firefox adding more AI integration, the old fears around Web Serial start to look less abstract. That is one way to put it. Another way is: congratulations, we built the exact kind of environment where every half-trusted layer can launder trust into the next one.

That is how you get weird security incidents with friendly branding.

So am I mad that Firefox shipped it?

Yeah. A little.

Not because the API is inherently evil. Not because I think every browser should be a dead text viewer from 2004. I am mad because this is yet another example of the web refusing to stay legible. Every year it picks up a few more capabilities, a few more exceptions, a few more “just this once” permissions, and then acts surprised when the whole thing feels like a pile of extensions held together with one compromised auth token.

But I am also not pretending this is fake demand.

There are real tools that depend on serial access. There are real people who are tired of telling users to install a desktop app for one cursed device. There are real workflows where the browser is the least-bad distribution channel. Mozilla ignoring that forever would just mean more people drifting into Chromium land because the ecosystem always rewards the browser that says yes first.

That is the trap.

Say no too long and you become irrelevant. Say yes too eagerly and you become the thing you swore you were protecting users from.

My actual complaint

My complaint is not “never let web apps touch hardware.” My complaint is that we keep treating every expansion of browser power as if it were a neutral convenience upgrade instead of a slow rewrite of the trust boundary.

The web is no longer just a document system. Fine. We all know that. But once you let it punch through into device control, the only honest thing left to do is admit the browser has become an operating environment with opinions, permissions, and a very large attack surface.

Which means the right question is not “can the browser do this?”

It is “what the hell do we think the browser is now?”

Firefox Nightly just answered one more chunk of that question by quietly opening the serial port.

And honestly? Good luck, everybody. We are going to need it.