@mehmoodqureshi/chrome-mcp 0.4.0 → 0.4.1

package/dist/src/config.js

@@ -123,6 +123,11 @@ function parseArgs(argv) {
     }
     // File first, then flags win.
     const policy = (0, policy_1.resolvePolicy)({ ...policyFile, ...policyFlags });
+    // Uploads must be confined to a directory — refuse to start with uploads enabled
+    // but no dir, rather than silently allow unrestricted local-file access.
+    if (policy.allowUploads && !policy.uploadsDir) {
+        throw new Error('--enable-uploads requires --uploads-dir <path> (uploads must be confined to a directory)');
+    }
     return {
         wsPort,
         dataDir: resolveDataDir(),

package/dist/src/mcp/tools.js

@@ -268,15 +268,18 @@ exports.TOOL_HANDLERS = {
         const files = (0, validators_1.optionalStringArray)(a, 'files');
         if (!files || files.length === 0)
             throw new validators_1.McpToolError('"files" must be a non-empty array of absolute local paths');
-        // Path restriction: if uploadsDir is configured, every file must resolve to a
-        // location inside it (blocks `..` traversal and arbitrary-file exfiltration).
-        if (ctx.policy.uploadsDir) {
-            const dir = (0, node_path_1.resolve)(ctx.policy.uploadsDir);
-            for (const f of files) {
-                const abs = (0, node_path_1.resolve)(f);
-                if (abs !== dir && !abs.startsWith(dir + node_path_1.sep)) {
-                    throw new validators_1.McpToolError(`upload denied: "${f}" is outside the allowed uploads dir (${dir})`);
-                }
+        // Path restriction: uploads MUST be confined to a configured directory. Without
+        // one, any absolute path (e.g. ~/.ssh/id_rsa) could be uploaded to a page, so we
+        // refuse rather than allow unrestricted local-file access. With a dir, every file
+        // must resolve inside it (blocks `..` traversal and arbitrary-file exfiltration).
+        if (!ctx.policy.uploadsDir) {
+            throw new validators_1.McpToolError('upload denied: uploads require an --uploads-dir to be configured (refusing unrestricted local-file access)');
+        }
+        const dir = (0, node_path_1.resolve)(ctx.policy.uploadsDir);
+        for (const f of files) {
+            const abs = (0, node_path_1.resolve)(f);
+            if (abs !== dir && !abs.startsWith(dir + node_path_1.sep)) {
+                throw new validators_1.McpToolError(`upload denied: "${f}" is outside the allowed uploads dir (${dir})`);
             }
         }
         return (0, envelopes_1.jsonResult)(await ctx.ex.uploadFile(t, files, { tabId: tabId(a) }));

package/dist/src/security/policy.d.ts

@@ -6,9 +6,16 @@
  * threat, so the policy:
  *   - is ON by default with a SAFE default (empty allowlist, no eval, no
  *     downloads, mutations disabled),
- *   - gates READS as well as writes (reads are the exfil payload),
- *   - is enforced at BOTH ends — the executor dispatch (server) AND the
- *     extension router — before any attach/navigate/eval/read.
+ *   - gates READS as well as writes (reads are the exfil payload).
+ *
+ * SCOPE OF ENFORCEMENT: this policy is enforced SERVER-SIDE ONLY, at the executor
+ * dispatch chokepoint (`assertUrlAllowed` in src/mcp/tools.ts). The extension does
+ * NOT independently re-check the policy, so the bridge token is the sole trust
+ * boundary for the WebSocket: any client holding the token can issue commands the
+ * extension will execute, regardless of this policy. The policy constrains the
+ * official MCP server (and thus the LLM driving it); it is not a second line of
+ * defense against a rogue token-holding client. (A future hardening would mirror
+ * this gate inside the extension router via a policy delivered in the welcome frame.)
  *
  * `assertUrlAllowed(url, method, policy)` is the single chokepoint. It throws an
  * `ExecutorError('POLICY_DENIED', …)` which the never-throw dispatch firewall

package/dist/src/security/policy.js

@@ -7,9 +7,16 @@
  * threat, so the policy:
  *   - is ON by default with a SAFE default (empty allowlist, no eval, no
  *     downloads, mutations disabled),
- *   - gates READS as well as writes (reads are the exfil payload),
- *   - is enforced at BOTH ends — the executor dispatch (server) AND the
- *     extension router — before any attach/navigate/eval/read.
+ *   - gates READS as well as writes (reads are the exfil payload).
+ *
+ * SCOPE OF ENFORCEMENT: this policy is enforced SERVER-SIDE ONLY, at the executor
+ * dispatch chokepoint (`assertUrlAllowed` in src/mcp/tools.ts). The extension does
+ * NOT independently re-check the policy, so the bridge token is the sole trust
+ * boundary for the WebSocket: any client holding the token can issue commands the
+ * extension will execute, regardless of this policy. The policy constrains the
+ * official MCP server (and thus the LLM driving it); it is not a second line of
+ * defense against a rogue token-holding client. (A future hardening would mirror
+ * this gate inside the extension router via a policy delivered in the welcome frame.)
  *
  * `assertUrlAllowed(url, method, policy)` is the single chokepoint. It throws an
  * `ExecutorError('POLICY_DENIED', …)` which the never-throw dispatch firewall

package/docs/BLUEPRINT.md

@@ -64,7 +64,7 @@ takes over from CDP and vice-versa on disconnect.
 - **The 256-bit per-boot token is the ONLY security boundary.** Origin checks and the loopback bind are defense-in-depth against *browser-page* attackers, not native processes. [RESOLVED — security blockers 2 & 3]
 - **One canonical `protocol.ts`** imported by both server and extension. Four conflicting wire/port/token designs are collapsed into this single contract. [RESOLVED — integration blocker 1]
 - **Helpers (`extract_links`, `read_as_markdown`, `fill_form`) are composed server-side** from primitives. Only `download_file` is an executor/wire method. [RESOLVED — integration blocker 2]
-- **Default-deny domain policy is ON by default and gates reads too**, enforced inside the executor dispatch (both backends) AND the extension router. [RESOLVED — security major 4 & eval]
+- **Default-deny domain policy is ON by default and gates reads too**, enforced SERVER-SIDE inside the executor dispatch (both backends). NOTE: the extension router does NOT independently re-check the policy — the bridge token is the sole trust boundary for the WebSocket. Mirroring the gate into the extension router is a planned hardening. [RESOLVED — security major 4 & eval]
 
 ---
 
@@ -540,7 +540,7 @@ threat** (this tool feeds untrusted page text to an LLM that can call `eval`).
 3. **Origin is NOT a security layer.** Documented as defense-in-depth against *browser-page* attackers only (a web page cannot forge a `chrome-extension://` Origin; a native process can). The token holds independently. We never relax token strength on Origin's account. Never reject a valid-token dev connection solely on Origin mismatch. [RESOLVED — blocker 2, mv3 major Origin]
 4. **No `/connect` HTTP endpoint.** Token bootstrap is the **native-messaging trampoline** reading the 0600 file (the model/attacker can't read it), with a manual file-path-pairing fallback. No race-able network token vendor exists. [RESOLVED — blocker 3]
 5. **Token never logged.** Never on stdout or stderr; only in the 0600 file (mode verified post-write, fail-closed). Any human-readable pairing artifact is also 0600 and short-lived. `policy.test.ts` asserts the token appears on neither stream. `logErr` redacts. [RESOLVED — major 5]
-6. **Default-deny domain policy, ON by default, gating READS too.** `Policy { allowDomains: glob[]; allowEval; allowDownloads; allowAllTabs }`. Absent config → **SAFE DEFAULT**: navigate only to `about:blank` + already-open allowlisted tabs, **eval denied cross-domain, reads (`get_text`/`get_html`/`screenshot`/`eval`) denied outside the allowlist**, downloads off. `assertUrlAllowed(currentTabUrl, method)` runs in **the executor dispatch (both backends) AND the extension router** before any attach/navigate/eval/read. `--unsafe-all-domains` (= `allowDomains:['*']`) is the loud-logged escape hatch. [RESOLVED — major 4]
+6. **Default-deny domain policy, ON by default, gating READS too.** `Policy { allowDomains: glob[]; allowEval; allowDownloads; allowAllTabs }`. Absent config → **SAFE DEFAULT**: navigate only to `about:blank` + already-open allowlisted tabs, **eval denied cross-domain, reads (`get_text`/`get_html`/`screenshot`/`eval`) denied outside the allowlist**, downloads off. `assertUrlAllowed(currentTabUrl, method)` runs SERVER-SIDE in **the executor dispatch (both backends)** before any attach/navigate/eval/read. The extension router does NOT re-check the policy (token is the sole bridge boundary); a mirrored extension-side gate is a planned hardening. `--unsafe-all-domains` (= `allowDomains:['*']`) is the loud-logged escape hatch. [RESOLVED — major 4]
 7. **Safe-mode shipped in v1 (not "future").** Default disables `eval` and the entire mutating tool set; `--enable-mutations` / `--unsafe-enable-eval` opt in. `eval`'s effective target origin (the tab's current URL) is allowlist-checked before dispatch. [RESOLVED — major eval]
 8. **Narrowed manifest:** no `<all_urls>`; `host_permissions:[]` + `optional_host_permissions` requested on demand after an explicit user action-click grant before first attach. [RESOLVED — major 4]
 9. **Displacement is a security event:** superseding connects are logged loudly + surfaced in `chrome_status`; the active connection is pinned to the first `hello` ext id and won't be displaced by a different id without re-pair. [RESOLVED — minor 9]

package/extension-dist/manifest.json

@@ -1,12 +1,27 @@
 {
   "manifest_version": 3,
   "name": "Chrome MCP Bridge",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "description": "Lets a local chrome-mcp server drive this browser. Pair it with the server's handshake token.",
   "minimum_chrome_version": "116",
-  "background": { "service_worker": "background.js" },
-  "permissions": ["tabs", "scripting", "activeTab", "downloads", "storage", "alarms", "cookies", "debugger"],
-  "host_permissions": ["<all_urls>"],
+  "background": {
+    "service_worker": "background.js"
+  },
+  "permissions": [
+    "tabs",
+    "scripting",
+    "activeTab",
+    "downloads",
+    "storage",
+    "alarms",
+    "cookies",
+    "debugger"
+  ],
+  "host_permissions": [
+    "<all_urls>"
+  ],
   "options_page": "options.html",
-  "action": { "default_title": "Chrome MCP — open options to pair" }
+  "action": {
+    "default_title": "Chrome MCP — open options to pair"
+  }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mehmoodqureshi/chrome-mcp",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "description": "Drive a real Chrome browser over MCP. A stdio MCP server (CLI) plus an MV3 extension, behind one pluggable Executor (extension via chrome.scripting, or a Playwright CDP fallback).",
   "author": "Mehmood Ur Rehman Qureshi",
   "license": "MIT",