@mehmoodqureshi/chrome-mcp 0.4.1 → 0.4.2

package/dist/shared/policy.d.ts

@@ -0,0 +1,34 @@
+/**
+ * shared/policy.ts — the PURE policy decision, imported VERBATIM by both the
+ * server (src/security/policy.ts wraps it to throw ExecutorError) and the
+ * extension (router mirrors it to throw CmdError). Keeping the decision in one
+ * shared module is what makes the two ends provably agree — the gate is then
+ * genuinely enforced "at both ends" (server dispatch AND extension router).
+ *
+ * No throwing, no Node/Chrome deps: returns a verdict the caller renders into
+ * whatever error type it uses.
+ */
+import type { WireMethod, WirePolicy } from './protocol';
+export declare function isReadMethod(method: WireMethod): boolean;
+/** Everything in the mutating tool set that safe-mode disables. `eval` is gated
+ *  separately via `allowEval`; `download_file` separately via `allowDownloads`. */
+export declare function isMutatingMethod(method: WireMethod): boolean;
+/** Whether the method touches a specific URL that must be allowlisted. */
+export declare function isUrlGated(method: WireMethod): boolean;
+/** Parse a host out of a URL string; '' if it has none (about:blank, data:, …). */
+export declare function hostOf(url: string): string;
+export declare function isDomainAllowed(url: string, policy: WirePolicy): boolean;
+export type PolicyVerdict = {
+    ok: true;
+} | {
+    ok: false;
+    reason: string;
+};
+/**
+ * Decide whether `method` against `url` is permitted by `policy`. `url` is the
+ * DESTINATION for navigation, otherwise the current tab URL. Pure: returns a
+ * verdict; the caller throws its own error type on `{ ok: false }`.
+ */
+export declare function evaluatePolicy(url: string, method: WireMethod, policy: WirePolicy): PolicyVerdict;
+/** A wire policy that allows nothing — the safe default when none was delivered. */
+export declare const DENY_ALL_WIRE_POLICY: WirePolicy;

package/dist/shared/policy.js

@@ -0,0 +1,151 @@
+"use strict";
+/**
+ * shared/policy.ts — the PURE policy decision, imported VERBATIM by both the
+ * server (src/security/policy.ts wraps it to throw ExecutorError) and the
+ * extension (router mirrors it to throw CmdError). Keeping the decision in one
+ * shared module is what makes the two ends provably agree — the gate is then
+ * genuinely enforced "at both ends" (server dispatch AND extension router).
+ *
+ * No throwing, no Node/Chrome deps: returns a verdict the caller renders into
+ * whatever error type it uses.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DENY_ALL_WIRE_POLICY = void 0;
+exports.isReadMethod = isReadMethod;
+exports.isMutatingMethod = isMutatingMethod;
+exports.isUrlGated = isUrlGated;
+exports.hostOf = hostOf;
+exports.isDomainAllowed = isDomainAllowed;
+exports.evaluatePolicy = evaluatePolicy;
+// ---------------------------------------------------------------------------
+// Method classification
+// ---------------------------------------------------------------------------
+/** Methods that read page CONTENT (the exfil payload) — URL-gated. */
+const READ_CONTENT = new Set([
+    'get_text',
+    'get_html',
+    'screenshot',
+    'wait_for',
+]);
+/** Content-mutating actions — URL-gated AND mutation-gated. */
+const MUTATE_CONTENT = new Set([
+    'click',
+    'type',
+    'press',
+    'hover',
+    'scroll',
+]);
+/** Navigation — URL-gated by the DESTINATION url, and mutation-gated. */
+const NAVIGATION = new Set([
+    'navigate',
+    'back',
+    'forward',
+    'reload',
+]);
+/** Tab management — mutation-gated, but not content-URL-gated. */
+const TAB_MUTATE = new Set([
+    'tab_select',
+    'tab_new',
+    'tab_close',
+]);
+function isReadMethod(method) {
+    return READ_CONTENT.has(method) || method === 'tabs_list';
+}
+/** Everything in the mutating tool set that safe-mode disables. `eval` is gated
+ *  separately via `allowEval`; `download_file` separately via `allowDownloads`. */
+function isMutatingMethod(method) {
+    return MUTATE_CONTENT.has(method) || NAVIGATION.has(method) || TAB_MUTATE.has(method);
+}
+/** Whether the method touches a specific URL that must be allowlisted. */
+function isUrlGated(method) {
+    return (READ_CONTENT.has(method) ||
+        MUTATE_CONTENT.has(method) ||
+        NAVIGATION.has(method) ||
+        method === 'eval' ||
+        method === 'upload_file');
+}
+// ---------------------------------------------------------------------------
+// Domain matching
+// ---------------------------------------------------------------------------
+/** Parse a host out of a URL string; '' if it has none (about:blank, data:, …). */
+function hostOf(url) {
+    try {
+        return new URL(url).hostname.toLowerCase();
+    }
+    catch {
+        return '';
+    }
+}
+function isAboutBlank(url) {
+    return url === 'about:blank' || url === '' || url.startsWith('about:');
+}
+/** Convert a single domain glob to a predicate. '*' matches everything;
+ *  '*.example.com' matches example.com and any subdomain; otherwise exact host. */
+function globMatches(host, pattern) {
+    const p = pattern.trim().toLowerCase();
+    if (p === '*' || p === '*://*/*')
+        return true;
+    if (p.startsWith('*.')) {
+        const base = p.slice(2);
+        return host === base || host.endsWith('.' + base);
+    }
+    return host === p;
+}
+function isDomainAllowed(url, policy) {
+    const host = hostOf(url);
+    if (!host)
+        return false;
+    return policy.allowDomains.some((pat) => globMatches(host, pat));
+}
+/**
+ * Decide whether `method` against `url` is permitted by `policy`. `url` is the
+ * DESTINATION for navigation, otherwise the current tab URL. Pure: returns a
+ * verdict; the caller throws its own error type on `{ ok: false }`.
+ */
+function evaluatePolicy(url, method, policy) {
+    // -- capability gates (independent of URL) --
+    if (method === 'eval' && !policy.allowEval) {
+        return { ok: false, reason: 'eval is disabled (safe-mode). Pass --unsafe-enable-eval to allow it.' };
+    }
+    if (method === 'download_file' && !policy.allowDownloads) {
+        return { ok: false, reason: 'downloads are disabled. Pass --enable-downloads or set allowDownloads.' };
+    }
+    if (method === 'upload_file' && !policy.allowUploads) {
+        return {
+            ok: false,
+            reason: 'uploads are disabled (sending local files to a page is an exfiltration risk). ' +
+                'Pass --enable-uploads or set allowUploads.',
+        };
+    }
+    if (isMutatingMethod(method) && !policy.enableMutations) {
+        return {
+            ok: false,
+            reason: `mutating tool "${method}" is disabled (safe-mode). Pass --enable-mutations to allow it.`,
+        };
+    }
+    // Methods that don't carry a content URL pass once the gates above are clear.
+    if (!isUrlGated(method))
+        return { ok: true };
+    // Navigating to a blank page is always fine.
+    if (isAboutBlank(url) && NAVIGATION.has(method))
+        return { ok: true };
+    if (!isDomainAllowed(url, policy)) {
+        const host = hostOf(url) || url;
+        return {
+            ok: false,
+            reason: `"${method}" denied: ${host} is not in the domain allowlist. ` +
+                `Add it to allowDomains, or pass --unsafe-all-domains.`,
+        };
+    }
+    return { ok: true };
+}
+/** A wire policy that allows nothing — the safe default when none was delivered. */
+exports.DENY_ALL_WIRE_POLICY = {
+    allowDomains: [],
+    allowEval: false,
+    allowDownloads: false,
+    allowUploads: false,
+    allowAllTabs: false,
+    enableMutations: false,
+};
+//# sourceMappingURL=policy.js.map

package/dist/shared/protocol.d.ts

@@ -49,11 +49,26 @@ export interface HelloFrame extends BaseFrame {
         chrome: string;
     };
 }
+/**
+ * The wire-serializable subset of the server's policy, delivered in `welcome` so
+ * the extension can enforce the SAME gate the server does (defense-in-depth). The
+ * server-only `uploadsDir` (a local filesystem path) is intentionally NOT sent.
+ */
+export interface WirePolicy {
+    allowDomains: string[];
+    allowEval: boolean;
+    allowDownloads: boolean;
+    allowUploads: boolean;
+    allowAllTabs: boolean;
+    enableMutations: boolean;
+}
 export interface WelcomeFrame extends BaseFrame {
     type: 'welcome';
     serverVersion: string;
     sessionId: string;
     heartbeatMs: number;
+    /** The active policy, so the extension can mirror the server-side gate. */
+    policy: WirePolicy;
 }
 export interface UnauthFrame extends BaseFrame {
     type: 'unauthorized';

package/dist/src/bridge/server.d.ts

@@ -10,7 +10,7 @@
  *   3. On success, send `welcome`, promote to the single ACTIVE connection
  *      (superseding any prior one — a security-relevant displacement event).
  */
-import { type WireEvent, type WireMethod } from '../../shared/protocol';
+import { type WireEvent, type WireMethod, type WirePolicy } from '../../shared/protocol';
 export interface DisplacementInfo {
     oldExtId: string;
     newExtId: string;
@@ -20,6 +20,9 @@ export interface DisplacementInfo {
 export interface BridgeOptions {
     token: string;
     serverVersion: string;
+    /** Active policy, sent to the extension in `welcome` so it mirrors the gate.
+     *  Defaults to deny-all if omitted. */
+    policy?: WirePolicy;
     port?: number;
     host?: string;
     heartbeatMs?: number;

package/dist/src/bridge/server.js

@@ -16,6 +16,7 @@ exports.BridgeServer = void 0;
 const ws_1 = require("ws");
 const node_crypto_1 = require("node:crypto");
 const protocol_1 = require("../../shared/protocol");
+const policy_1 = require("../../shared/policy");
 const types_1 = require("../executor/types");
 const connection_1 = require("./connection");
 const auth_1 = require("./auth");
@@ -174,6 +175,7 @@ class BridgeServer {
             serverVersion: this.opts.serverVersion,
             sessionId,
             heartbeatMs: this.heartbeatMs,
+            policy: this.opts.policy ?? policy_1.DENY_ALL_WIRE_POLICY,
         };
         this.send(ws, welcome);
         this.log(`extension paired (session ${sessionId}, id "${ext.id}")`);

package/dist/src/cli.js

@@ -61,9 +61,12 @@ async function main() {
     }
     const dataDir = (0, datadir_1.ensureDataDir)(cfg.dataDir);
     const token = (0, auth_1.resolveToken)(dataDir, { persist: cfg.persistToken });
+    const { allowDomains, allowEval, allowDownloads, allowUploads, allowAllTabs, enableMutations } = cfg.policy;
     const bridge = new server_1.BridgeServer({
         token,
         serverVersion: version(),
+        // Wire-serializable policy subset (no local uploadsDir) so the extension mirrors the gate.
+        policy: { allowDomains, allowEval, allowDownloads, allowUploads, allowAllTabs, enableMutations },
         port: cfg.wsPort,
         onLog: (m) => (0, server_2.logErr)(m),
         onDisplacement: (d) => (0, server_2.logErr)(`SECURITY: extension connection displaced (different id: ${d.differentId})`),

package/dist/src/security/policy.d.ts

@@ -6,54 +6,36 @@
  * threat, so the policy:
  *   - is ON by default with a SAFE default (empty allowlist, no eval, no
  *     downloads, mutations disabled),
- *   - gates READS as well as writes (reads are the exfil payload).
- *
- * SCOPE OF ENFORCEMENT: this policy is enforced SERVER-SIDE ONLY, at the executor
- * dispatch chokepoint (`assertUrlAllowed` in src/mcp/tools.ts). The extension does
- * NOT independently re-check the policy, so the bridge token is the sole trust
- * boundary for the WebSocket: any client holding the token can issue commands the
- * extension will execute, regardless of this policy. The policy constrains the
- * official MCP server (and thus the LLM driving it); it is not a second line of
- * defense against a rogue token-holding client. (A future hardening would mirror
- * this gate inside the extension router via a policy delivered in the welcome frame.)
+ *   - gates READS as well as writes (reads are the exfil payload),
+ *   - is enforced at BOTH ends. The decision lives in `shared/policy.ts`
+ *     (`evaluatePolicy`); the server wraps it here (`assertUrlAllowed`) and the
+ *     extension router runs the SAME function against the policy delivered in the
+ *     `welcome` frame. Because both ends call one shared function, they cannot
+ *     drift, and a client that bypasses the server still hits the extension gate.
+ *     (The bridge token remains the PRIMARY trust boundary for the WebSocket;
+ *     the extension gate is defense-in-depth on top of it.)
  *
  * `assertUrlAllowed(url, method, policy)` is the single chokepoint. It throws an
  * `ExecutorError('POLICY_DENIED', …)` which the never-throw dispatch firewall
  * renders as a structured MCP error.
  */
-import type { WireMethod } from '../../shared/protocol';
-export interface Policy {
-    /** Glob domain allowlist, e.g. ['example.com', '*.example.com', '*']. Empty = deny all. */
-    allowDomains: string[];
-    /** Allow the `eval` primitive at all. */
-    allowEval: boolean;
-    /** Allow `download_file`. */
-    allowDownloads: boolean;
-    /** Allow `upload_file` (sends local files to the page — exfiltration risk). */
-    allowUploads: boolean;
+import type { WireMethod, WirePolicy } from '../../shared/protocol';
+import { isReadMethod, isMutatingMethod, isUrlGated, hostOf, isDomainAllowed } from '../../shared/policy';
+export { isReadMethod, isMutatingMethod, isUrlGated, hostOf, isDomainAllowed };
+/** The full server-side policy: the wire-serializable {@link WirePolicy} plus the
+ *  server-only `uploadsDir` (a local path, never sent to the extension). */
+export interface Policy extends WirePolicy {
     /** If set, `upload_file` may only read files inside this directory (absolute path). */
     uploadsDir?: string;
-    /** Allow acting on / reading tabs whose URL is not in `allowDomains` is governed
-     *  by `allowDomains`; this flag instead relaxes tab *management* (list/select)
-     *  to all tabs regardless of their URL. Default false. */
-    allowAllTabs: boolean;
-    /** Safe-mode master switch for the mutating tool set (click/type/navigate/…). */
-    enableMutations: boolean;
 }
 /** The SAFE default: deny everything until the user opts in. */
 export declare const DEFAULT_POLICY: Readonly<Policy>;
 /** Merge a partial (from a policy file and/or CLI flags) over the safe default. */
 export declare function resolvePolicy(partial?: Partial<Policy>): Policy;
-export declare function isReadMethod(method: WireMethod): boolean;
-/** Everything in the mutating tool set that safe-mode disables. `eval` is gated
- *  separately via `allowEval`; `download_file` separately via `allowDownloads`. */
-export declare function isMutatingMethod(method: WireMethod): boolean;
-/** Parse a host out of a URL string; '' if it has none (about:blank, data:, …). */
-export declare function hostOf(url: string): string;
-export declare function isDomainAllowed(url: string, policy: Policy): boolean;
 /**
  * Throw `POLICY_DENIED` unless `method` against `url` is permitted by `policy`.
  * `url` is the DESTINATION for navigation, otherwise the current tab URL.
- * Pure and side-effect-free so it can run identically on server and extension.
+ * Thin server-side wrapper over the shared, pure `evaluatePolicy` — the SAME
+ * function the extension router runs, so the two ends cannot drift.
  */
 export declare function assertUrlAllowed(url: string, method: WireMethod, policy: Policy): void;

package/dist/src/security/policy.js

@@ -7,30 +7,30 @@
  * threat, so the policy:
  *   - is ON by default with a SAFE default (empty allowlist, no eval, no
  *     downloads, mutations disabled),
- *   - gates READS as well as writes (reads are the exfil payload).
- *
- * SCOPE OF ENFORCEMENT: this policy is enforced SERVER-SIDE ONLY, at the executor
- * dispatch chokepoint (`assertUrlAllowed` in src/mcp/tools.ts). The extension does
- * NOT independently re-check the policy, so the bridge token is the sole trust
- * boundary for the WebSocket: any client holding the token can issue commands the
- * extension will execute, regardless of this policy. The policy constrains the
- * official MCP server (and thus the LLM driving it); it is not a second line of
- * defense against a rogue token-holding client. (A future hardening would mirror
- * this gate inside the extension router via a policy delivered in the welcome frame.)
+ *   - gates READS as well as writes (reads are the exfil payload),
+ *   - is enforced at BOTH ends. The decision lives in `shared/policy.ts`
+ *     (`evaluatePolicy`); the server wraps it here (`assertUrlAllowed`) and the
+ *     extension router runs the SAME function against the policy delivered in the
+ *     `welcome` frame. Because both ends call one shared function, they cannot
+ *     drift, and a client that bypasses the server still hits the extension gate.
+ *     (The bridge token remains the PRIMARY trust boundary for the WebSocket;
+ *     the extension gate is defense-in-depth on top of it.)
  *
  * `assertUrlAllowed(url, method, policy)` is the single chokepoint. It throws an
  * `ExecutorError('POLICY_DENIED', …)` which the never-throw dispatch firewall
  * renders as a structured MCP error.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.DEFAULT_POLICY = void 0;
+exports.DEFAULT_POLICY = exports.isDomainAllowed = exports.hostOf = exports.isUrlGated = exports.isMutatingMethod = exports.isReadMethod = void 0;
 exports.resolvePolicy = resolvePolicy;
-exports.isReadMethod = isReadMethod;
-exports.isMutatingMethod = isMutatingMethod;
-exports.hostOf = hostOf;
-exports.isDomainAllowed = isDomainAllowed;
 exports.assertUrlAllowed = assertUrlAllowed;
 const types_1 = require("../executor/types");
+const policy_1 = require("../../shared/policy");
+Object.defineProperty(exports, "isReadMethod", { enumerable: true, get: function () { return policy_1.isReadMethod; } });
+Object.defineProperty(exports, "isMutatingMethod", { enumerable: true, get: function () { return policy_1.isMutatingMethod; } });
+Object.defineProperty(exports, "isUrlGated", { enumerable: true, get: function () { return policy_1.isUrlGated; } });
+Object.defineProperty(exports, "hostOf", { enumerable: true, get: function () { return policy_1.hostOf; } });
+Object.defineProperty(exports, "isDomainAllowed", { enumerable: true, get: function () { return policy_1.isDomainAllowed; } });
 /** The SAFE default: deny everything until the user opts in. */
 exports.DEFAULT_POLICY = Object.freeze({
     allowDomains: [],
@@ -54,121 +54,17 @@ function resolvePolicy(partial) {
     };
 }
 // ---------------------------------------------------------------------------
-// Method classification
-// ---------------------------------------------------------------------------
-/** Methods that read page CONTENT (the exfil payload) — URL-gated. */
-const READ_CONTENT = new Set([
-    'get_text',
-    'get_html',
-    'screenshot',
-    'wait_for',
-]);
-/** Content-mutating actions — URL-gated AND mutation-gated. */
-const MUTATE_CONTENT = new Set([
-    'click',
-    'type',
-    'press',
-    'hover',
-    'scroll',
-]);
-/** Navigation — URL-gated by the DESTINATION url, and mutation-gated. */
-const NAVIGATION = new Set([
-    'navigate',
-    'back',
-    'forward',
-    'reload',
-]);
-/** Tab management — mutation-gated, but not content-URL-gated (unless allowAllTabs is off). */
-const TAB_MUTATE = new Set([
-    'tab_select',
-    'tab_new',
-    'tab_close',
-]);
-function isReadMethod(method) {
-    return READ_CONTENT.has(method) || method === 'tabs_list';
-}
-/** Everything in the mutating tool set that safe-mode disables. `eval` is gated
- *  separately via `allowEval`; `download_file` separately via `allowDownloads`. */
-function isMutatingMethod(method) {
-    return MUTATE_CONTENT.has(method) || NAVIGATION.has(method) || TAB_MUTATE.has(method);
-}
-/** Whether the method touches a specific URL that must be allowlisted. */
-function isUrlGated(method) {
-    return (READ_CONTENT.has(method) ||
-        MUTATE_CONTENT.has(method) ||
-        NAVIGATION.has(method) ||
-        method === 'eval' ||
-        method === 'upload_file');
-}
-// ---------------------------------------------------------------------------
-// Domain matching
-// ---------------------------------------------------------------------------
-/** Parse a host out of a URL string; '' if it has none (about:blank, data:, …). */
-function hostOf(url) {
-    try {
-        return new URL(url).hostname.toLowerCase();
-    }
-    catch {
-        return '';
-    }
-}
-function isAboutBlank(url) {
-    return url === 'about:blank' || url === '' || url.startsWith('about:');
-}
-/** Convert a single domain glob to a predicate. '*' matches everything;
- *  '*.example.com' matches example.com and any subdomain; otherwise exact host. */
-function globMatches(host, pattern) {
-    const p = pattern.trim().toLowerCase();
-    if (p === '*' || p === '*://*/*')
-        return true;
-    if (p.startsWith('*.')) {
-        const base = p.slice(2);
-        return host === base || host.endsWith('.' + base);
-    }
-    return host === p;
-}
-function isDomainAllowed(url, policy) {
-    const host = hostOf(url);
-    if (!host)
-        return false;
-    return policy.allowDomains.some((pat) => globMatches(host, pat));
-}
-// ---------------------------------------------------------------------------
 // The gate
 // ---------------------------------------------------------------------------
 /**
  * Throw `POLICY_DENIED` unless `method` against `url` is permitted by `policy`.
  * `url` is the DESTINATION for navigation, otherwise the current tab URL.
- * Pure and side-effect-free so it can run identically on server and extension.
+ * Thin server-side wrapper over the shared, pure `evaluatePolicy` — the SAME
+ * function the extension router runs, so the two ends cannot drift.
  */
 function assertUrlAllowed(url, method, policy) {
-    // -- capability gates (independent of URL) --
-    if (method === 'eval' && !policy.allowEval) {
-        throw new types_1.ExecutorError('POLICY_DENIED', 'eval is disabled (safe-mode). Pass --unsafe-enable-eval to allow it.');
-    }
-    if (method === 'download_file' && !policy.allowDownloads) {
-        throw new types_1.ExecutorError('POLICY_DENIED', 'downloads are disabled. Pass --enable-downloads or set allowDownloads.');
-    }
-    if (method === 'upload_file' && !policy.allowUploads) {
-        throw new types_1.ExecutorError('POLICY_DENIED', 'uploads are disabled (sending local files to a page is an exfiltration risk). ' +
-            'Pass --enable-uploads or set allowUploads.');
-    }
-    if (isMutatingMethod(method) && !policy.enableMutations) {
-        throw new types_1.ExecutorError('POLICY_DENIED', `mutating tool "${method}" is disabled (safe-mode). Pass --enable-mutations to allow it.`);
-    }
-    // -- tab management without allowAllTabs still needs the target tab's URL allowlisted,
-    //    but list/select/close don't carry a content URL here; treat them as allowed once
-    //    the mutation gate above has passed (URL-gating of their effect happens on the
-    //    subsequent content op). --
-    if (!isUrlGated(method))
-        return;
-    // Navigating to a blank page is always fine.
-    if (isAboutBlank(url) && NAVIGATION.has(method))
-        return;
-    if (!isDomainAllowed(url, policy)) {
-        const host = hostOf(url) || url;
-        throw new types_1.ExecutorError('POLICY_DENIED', `"${method}" denied: ${host} is not in the domain allowlist. ` +
-            `Add it to allowDomains, or pass --unsafe-all-domains.`);
-    }
+    const verdict = (0, policy_1.evaluatePolicy)(url, method, policy);
+    if (!verdict.ok)
+        throw new types_1.ExecutorError('POLICY_DENIED', verdict.reason);
 }
 //# sourceMappingURL=policy.js.map

package/docs/BLUEPRINT.md

@@ -64,7 +64,7 @@ takes over from CDP and vice-versa on disconnect.
 - **The 256-bit per-boot token is the ONLY security boundary.** Origin checks and the loopback bind are defense-in-depth against *browser-page* attackers, not native processes. [RESOLVED — security blockers 2 & 3]
 - **One canonical `protocol.ts`** imported by both server and extension. Four conflicting wire/port/token designs are collapsed into this single contract. [RESOLVED — integration blocker 1]
 - **Helpers (`extract_links`, `read_as_markdown`, `fill_form`) are composed server-side** from primitives. Only `download_file` is an executor/wire method. [RESOLVED — integration blocker 2]
-- **Default-deny domain policy is ON by default and gates reads too**, enforced SERVER-SIDE inside the executor dispatch (both backends). NOTE: the extension router does NOT independently re-check the policy — the bridge token is the sole trust boundary for the WebSocket. Mirroring the gate into the extension router is a planned hardening. [RESOLVED — security major 4 & eval]
+- **Default-deny domain policy is ON by default and gates reads too**, enforced at BOTH ends via the shared `evaluatePolicy` (`shared/policy.ts`): the server wraps it in the executor dispatch, and the extension router runs the same function against the policy delivered in the `welcome` frame. The bridge token remains the primary trust boundary; the extension gate is defense-in-depth. [RESOLVED — security major 4 & eval]
 
 ---
 
@@ -540,7 +540,7 @@ threat** (this tool feeds untrusted page text to an LLM that can call `eval`).
 3. **Origin is NOT a security layer.** Documented as defense-in-depth against *browser-page* attackers only (a web page cannot forge a `chrome-extension://` Origin; a native process can). The token holds independently. We never relax token strength on Origin's account. Never reject a valid-token dev connection solely on Origin mismatch. [RESOLVED — blocker 2, mv3 major Origin]
 4. **No `/connect` HTTP endpoint.** Token bootstrap is the **native-messaging trampoline** reading the 0600 file (the model/attacker can't read it), with a manual file-path-pairing fallback. No race-able network token vendor exists. [RESOLVED — blocker 3]
 5. **Token never logged.** Never on stdout or stderr; only in the 0600 file (mode verified post-write, fail-closed). Any human-readable pairing artifact is also 0600 and short-lived. `policy.test.ts` asserts the token appears on neither stream. `logErr` redacts. [RESOLVED — major 5]
-6. **Default-deny domain policy, ON by default, gating READS too.** `Policy { allowDomains: glob[]; allowEval; allowDownloads; allowAllTabs }`. Absent config → **SAFE DEFAULT**: navigate only to `about:blank` + already-open allowlisted tabs, **eval denied cross-domain, reads (`get_text`/`get_html`/`screenshot`/`eval`) denied outside the allowlist**, downloads off. `assertUrlAllowed(currentTabUrl, method)` runs SERVER-SIDE in **the executor dispatch (both backends)** before any attach/navigate/eval/read. The extension router does NOT re-check the policy (token is the sole bridge boundary); a mirrored extension-side gate is a planned hardening. `--unsafe-all-domains` (= `allowDomains:['*']`) is the loud-logged escape hatch. [RESOLVED — major 4]
+6. **Default-deny domain policy, ON by default, gating READS too.** `Policy { allowDomains: glob[]; allowEval; allowDownloads; allowAllTabs }`. Absent config → **SAFE DEFAULT**: navigate only to `about:blank` + already-open allowlisted tabs, **eval denied cross-domain, reads (`get_text`/`get_html`/`screenshot`/`eval`) denied outside the allowlist**, downloads off. The shared `evaluatePolicy(url, method, policy)` runs at **both ends** — wrapped server-side as `assertUrlAllowed` in the executor dispatch (both backends), and re-run by the extension router against the policy delivered in `welcome` — before any attach/navigate/eval/read. `--unsafe-all-domains` (= `allowDomains:['*']`) is the loud-logged escape hatch. [RESOLVED — major 4]
 7. **Safe-mode shipped in v1 (not "future").** Default disables `eval` and the entire mutating tool set; `--enable-mutations` / `--unsafe-enable-eval` opt in. `eval`'s effective target origin (the tab's current URL) is allowlist-checked before dispatch. [RESOLVED — major eval]
 8. **Narrowed manifest:** no `<all_urls>`; `host_permissions:[]` + `optional_host_permissions` requested on demand after an explicit user action-click grant before first attach. [RESOLVED — major 4]
 9. **Displacement is a security event:** superseding connects are logged loudly + surfaced in `chrome_status`; the active connection is pinned to the first `hello` ext id and won't be displaced by a different id without re-pair. [RESOLVED — minor 9]

package/extension-dist/background.js

@@ -75,6 +75,7 @@
         }
         switch (frame.type) {
           case "welcome":
+            this.deps.onPolicy(frame.policy);
             this.setState("connected");
             this.deps.log("paired with server");
             break;
@@ -116,6 +117,92 @@
     }
   };
 
+  // shared/policy.ts
+  var READ_CONTENT = /* @__PURE__ */ new Set([
+    "get_text",
+    "get_html",
+    "screenshot",
+    "wait_for"
+  ]);
+  var MUTATE_CONTENT = /* @__PURE__ */ new Set([
+    "click",
+    "type",
+    "press",
+    "hover",
+    "scroll"
+  ]);
+  var NAVIGATION = /* @__PURE__ */ new Set([
+    "navigate",
+    "back",
+    "forward",
+    "reload"
+  ]);
+  var TAB_MUTATE = /* @__PURE__ */ new Set([
+    "tab_select",
+    "tab_new",
+    "tab_close"
+  ]);
+  function isMutatingMethod(method) {
+    return MUTATE_CONTENT.has(method) || NAVIGATION.has(method) || TAB_MUTATE.has(method);
+  }
+  function isUrlGated(method) {
+    return READ_CONTENT.has(method) || MUTATE_CONTENT.has(method) || NAVIGATION.has(method) || method === "eval" || method === "upload_file";
+  }
+  function hostOf(url) {
+    try {
+      return new URL(url).hostname.toLowerCase();
+    } catch {
+      return "";
+    }
+  }
+  function isAboutBlank(url) {
+    return url === "about:blank" || url === "" || url.startsWith("about:");
+  }
+  function globMatches(host, pattern) {
+    const p = pattern.trim().toLowerCase();
+    if (p === "*" || p === "*://*/*") return true;
+    if (p.startsWith("*.")) {
+      const base = p.slice(2);
+      return host === base || host.endsWith("." + base);
+    }
+    return host === p;
+  }
+  function isDomainAllowed(url, policy) {
+    const host = hostOf(url);
+    if (!host) return false;
+    return policy.allowDomains.some((pat) => globMatches(host, pat));
+  }
+  function evaluatePolicy(url, method, policy) {
+    if (method === "eval" && !policy.allowEval) {
+      return { ok: false, reason: "eval is disabled (safe-mode). Pass --unsafe-enable-eval to allow it." };
+    }
+    if (method === "download_file" && !policy.allowDownloads) {
+      return { ok: false, reason: "downloads are disabled. Pass --enable-downloads or set allowDownloads." };
+    }
+    if (method === "upload_file" && !policy.allowUploads) {
+      return {
+        ok: false,
+        reason: "uploads are disabled (sending local files to a page is an exfiltration risk). Pass --enable-uploads or set allowUploads."
+      };
+    }
+    if (isMutatingMethod(method) && !policy.enableMutations) {
+      return {
+        ok: false,
+        reason: `mutating tool "${method}" is disabled (safe-mode). Pass --enable-mutations to allow it.`
+      };
+    }
+    if (!isUrlGated(method)) return { ok: true };
+    if (isAboutBlank(url) && NAVIGATION.has(method)) return { ok: true };
+    if (!isDomainAllowed(url, policy)) {
+      const host = hostOf(url) || url;
+      return {
+        ok: false,
+        reason: `"${method}" denied: ${host} is not in the domain allowlist. Add it to allowDomains, or pass --unsafe-all-domains.`
+      };
+    }
+    return { ok: true };
+  }
+
   // shared/download.ts
   var MAX_DOWNLOAD_BYTES = 100 * 1024 * 1024;
   var DANGEROUS_EXTENSIONS = /* @__PURE__ */ new Set([
@@ -303,6 +390,19 @@
   async function targetTab(cmd) {
     return cmd.tabId ? parseTabId(cmd.tabId) : currentTabId();
   }
+  async function urlForCommand(cmd) {
+    if (cmd.method === "navigate") {
+      const u = cmd.params.url;
+      return typeof u === "string" ? u : "";
+    }
+    try {
+      const tabId = await targetTab(cmd);
+      const t = await chrome.tabs.get(tabId);
+      return t.url ?? "";
+    } catch {
+      return "";
+    }
+  }
   async function execInTab(tabId, func, args = [], world) {
     const [res] = await chrome.scripting.executeScript({
       target: { tabId },
@@ -829,6 +929,12 @@
     }
     async dispatch(cmd) {
       try {
+        const policy = this.deps.getPolicy();
+        if (policy) {
+          const url = isUrlGated(cmd.method) ? await urlForCommand(cmd) : "";
+          const verdict = evaluatePolicy(url, cmd.method, policy);
+          if (!verdict.ok) throw new CmdError("POLICY_DENIED", verdict.reason);
+        }
         const data = await this.deps.exec.run(cmd);
         const frame = { type: "result", v: PROTOCOL_VERSION, id: cmd.id, ok: true, data };
         this.deps.send(frame);
@@ -850,15 +956,20 @@
 
   // extension/src/sw/background.ts
   var KEEPALIVE_ALARM = "chrome-mcp-keepalive";
+  var currentPolicy = null;
   var executor = new ChromeExecutor();
   var ws = new WsClient({
     onCommand: (cmd) => void router.dispatch(cmd),
     onState: (state) => void persistState(state),
+    onPolicy: (policy) => {
+      currentPolicy = policy;
+    },
     log: (m) => console.debug("[chrome-mcp]", m)
   });
   var router = new CommandRouter({
     exec: executor,
     send: (frame) => ws.send(frame),
+    getPolicy: () => currentPolicy,
     log: (m) => console.debug("[chrome-mcp]", m)
   });
   async function getConfig() {

package/extension-dist/manifest.json

@@ -1,7 +1,7 @@
 {
   "manifest_version": 3,
   "name": "Chrome MCP Bridge",
-  "version": "0.4.1",
+  "version": "0.4.2",
   "description": "Lets a local chrome-mcp server drive this browser. Pair it with the server's handshake token.",
   "minimum_chrome_version": "116",
   "background": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mehmoodqureshi/chrome-mcp",
-  "version": "0.4.1",
+  "version": "0.4.2",
   "description": "Drive a real Chrome browser over MCP. A stdio MCP server (CLI) plus an MV3 extension, behind one pluggable Executor (extension via chrome.scripting, or a Playwright CDP fallback).",
   "author": "Mehmood Ur Rehman Qureshi",
   "license": "MIT",