Ref the following topic on the W3C GitHub site:
Issue:
According to the current specification, joysticks and gamepad hardware devices can only be used within a secure context.
As mentioned in that thread, this forecloses many potential useful uses for the gamepad and/or joystick.
Unfortunately, it appears that the W3C’s attitude toward things is to slam them behind a certificate paywall or require self-signed certificates.
As I mentioned in the referenced posting, this is a Bad Idea because it imposes an additional administrative burden and/or cost for things that really don’t need it.
Likewise, encouraging the use of self-signed certificates actually reduces the security of the secure context as it dulls users to the potential danger of accepting self-signed certificates all willy-nilly.
I am currently working on a robotics project using a GoPiGo-3 robot as a FPV rover guided by a joystick. Unfortunately, I can no longer do development on Firefox as Firefox absolutely refuses to accept anything other than a secure, (HTTPS), connection for the joystick. Though I can continue development on Chrome, (for the time being), I suspect that this window of opportunity will close quickly making it impossible for me to complete my project.
Since slamming things behind a certificate as a knee-jerk solution is ultimately counterproductive, I have proposed a solution that is just as effective and won’t require a secure site:
Proposed solution:
Make access to the gamepad/joystick a user-selectable setting.
This could be implemented in exactly the same way that access to other hardware devices is/was implemented - with a setting that allows any site that wants to use the gamepad to pop-up a dialog and ask:
Site xxxx wants access to your gamepad device: [allow | deny | ask] with an option to remember this decision for that web site.
Since the primary idea behind requiring a secure context is to prevent the gamepad from being used as a fingerprint, it should be intuitively obvious, (as my Calculus professor used to say), that placing it behind a certificate wall won’t work. Why, you ask? Because the sites that are the most interested in tracking you already have secure sites! - so that won’t help.
The only thing that will help is allowing the user to allow access on a site-by-site basis the same way that notifications and location are only allowed on a site-by-site basis.
What say ye?