playwright 1.58.0-alpha-2025-12-30 → 1.58.0-alpha-2026-01-01

package/lib/mcp/browser/config.js

@@ -187,6 +187,7 @@ function configFromCLIOptions(cliOptions) {
       allowedOrigins: cliOptions.allowedOrigins,
       blockedOrigins: cliOptions.blockedOrigins
     },
+    allowUnrestrictedFileAccess: cliOptions.allowUnrestrictedFileAccess,
     saveSession: cliOptions.saveSession,
     saveTrace: cliOptions.saveTrace,
     saveVideo: cliOptions.saveVideo,
@@ -207,6 +208,7 @@ function configFromEnv() {
   const options = {};
   options.allowedHosts = commaSeparatedList(process.env.PLAYWRIGHT_MCP_ALLOWED_HOSTNAMES);
   options.allowedOrigins = semicolonSeparatedList(process.env.PLAYWRIGHT_MCP_ALLOWED_ORIGINS);
+  options.allowUnrestrictedFileAccess = envToBoolean(process.env.PLAYWRIGHT_MCP_ALLOW_UNRESTRICTED_FILE_ACCESS);
   options.blockedOrigins = semicolonSeparatedList(process.env.PLAYWRIGHT_MCP_BLOCKED_ORIGINS);
   options.blockServiceWorkers = envToBoolean(process.env.PLAYWRIGHT_MCP_BLOCK_SERVICE_WORKERS);
   options.browser = envToString(process.env.PLAYWRIGHT_MCP_BROWSER);

package/lib/mcp/browser/context.js

@@ -36,6 +36,8 @@ var import_fs = __toESM(require("fs"));
 var import_utilsBundle = require("playwright-core/lib/utilsBundle");
 var import_utils = require("playwright-core/lib/utils");
 var import_playwright_core = require("playwright-core");
+var import_url = require("url");
+var import_os = __toESM(require("os"));
 var import_log = require("../log");
 var import_tab = require("./tab");
 var import_config = require("./config");
@@ -197,6 +199,10 @@ class Context {
       import_playwright_core.selectors.setTestIdAttribute(this.config.testIdAttribute);
     const result = await this._browserContextFactory.createContext(this._clientInfo, this._abortController.signal, this._runningToolName);
     const { browserContext } = result;
+    if (!this.config.allowUnrestrictedFileAccess) {
+      browserContext._setAllowedProtocols(["http:", "https:", "about:", "data:"]);
+      browserContext._setAllowedDirectories(allRootPaths(this._clientInfo));
+    }
     await this._setupRequestInterception(browserContext);
     if (this.sessionLog)
       await InputRecorder.create(this, browserContext);
@@ -222,6 +228,25 @@ class Context {
     };
   }
 }
+function allRootPaths(clientInfo) {
+  const paths = [];
+  for (const root of clientInfo.roots) {
+    const url = new URL(root.uri);
+    let rootPath;
+    try {
+      rootPath = (0, import_url.fileURLToPath)(url);
+    } catch (e) {
+      if (e.code === "ERR_INVALID_FILE_URL_PATH" && import_os.default.platform() === "win32")
+        rootPath = decodeURIComponent(url.pathname);
+    }
+    if (!rootPath)
+      continue;
+    paths.push(rootPath);
+  }
+  if (paths.length === 0)
+    paths.push(process.cwd());
+  return paths;
+}
 function originOrHostGlob(originOrHost) {
   try {
     const url = new URL(originOrHost);

package/lib/mcp/program.js

@@ -41,7 +41,7 @@ var import_browserContextFactory = require("./browser/browserContextFactory");
 var import_browserServerBackend = require("./browser/browserServerBackend");
 var import_extensionContextFactory = require("./extension/extensionContextFactory");
 function decorateCommand(command, version) {
-  command.option("--allowed-hosts <hosts...>", "comma-separated list of hosts this server is allowed to serve from. Defaults to the host the server is bound to. Pass '*' to disable the host check.", import_config.commaSeparatedList).option("--allowed-origins <origins>", "semicolon-separated list of TRUSTED origins to allow the browser to request. Default is to allow all.\nImportant: *does not* serve as a security boundary and *does not* affect redirects. ", import_config.semicolonSeparatedList).option("--blocked-origins <origins>", "semicolon-separated list of origins to block the browser from requesting. Blocklist is evaluated before allowlist. If used without the allowlist, requests not matching the blocklist are still allowed.\nImportant: *does not* serve as a security boundary and *does not* affect redirects.", import_config.semicolonSeparatedList).option("--block-service-workers", "block service workers").option("--browser <browser>", "browser or chrome channel to use, possible values: chrome, firefox, webkit, msedge.").option("--caps <caps>", "comma-separated list of additional capabilities to enable, possible values: vision, pdf.", import_config.commaSeparatedList).option("--cdp-endpoint <endpoint>", "CDP endpoint to connect to.").option("--cdp-header <headers...>", "CDP headers to send with the connect request, multiple can be specified.", import_config.headerParser).option("--config <path>", "path to the configuration file.").option("--console-level <level>", 'level of console messages to return: "error", "warning", "info", "debug". Each level includes the messages of more severe levels.', import_config.enumParser.bind(null, "--console-level", ["error", "warning", "info", "debug"])).option("--device <device>", 'device to emulate, for example: "iPhone 15"').option("--executable-path <path>", "path to the browser executable.").option("--extension", 'Connect to a running browser instance (Edge/Chrome only). Requires the "Playwright MCP Bridge" browser extension to be installed.').option("--grant-permissions <permissions...>", 'List of permissions to grant to the browser context, for example "geolocation", "clipboard-read", "clipboard-write".', import_config.commaSeparatedList).option("--headless", "run browser in headless mode, headed by default").option("--host <host>", "host to bind server to. Default is localhost. Use 0.0.0.0 to bind to all interfaces.").option("--ignore-https-errors", "ignore https errors").option("--init-page <path...>", "path to TypeScript file to evaluate on Playwright page object").option("--init-script <path...>", "path to JavaScript file to add as an initialization script. The script will be evaluated in every page before any of the page's scripts. Can be specified multiple times.").option("--isolated", "keep the browser profile in memory, do not save it to disk.").option("--image-responses <mode>", 'whether to send image responses to the client. Can be "allow" or "omit", Defaults to "allow".', import_config.enumParser.bind(null, "--image-responses", ["allow", "omit"])).option("--no-sandbox", "disable the sandbox for all process types that are normally sandboxed.").option("--output-dir <path>", "path to the directory for output files.").option("--port <port>", "port to listen on for SSE transport.").option("--proxy-bypass <bypass>", 'comma-separated domains to bypass proxy, for example ".com,chromium.org,.domain.com"').option("--proxy-server <proxy>", 'specify proxy server, for example "http://myproxy:3128" or "socks5://myproxy:8080"').option("--save-session", "Whether to save the Playwright MCP session into the output directory.").option("--save-trace", "Whether to save the Playwright Trace of the session into the output directory.").option("--save-video <size>", 'Whether to save the video of the session into the output directory. For example "--save-video=800x600"', import_config.resolutionParser.bind(null, "--save-video")).option("--secrets <path>", "path to a file containing secrets in the dotenv format", import_config.dotenvFileLoader).option("--shared-browser-context", "reuse the same browser context between all connected HTTP clients.").option("--snapshot-mode <mode>", 'when taking snapshots for responses, specifies the mode to use. Can be "incremental", "full", or "none". Default is incremental.').option("--storage-state <path>", "path to the storage state file for isolated sessions.").option("--test-id-attribute <attribute>", 'specify the attribute to use for test ids, defaults to "data-testid"').option("--timeout-action <timeout>", "specify action timeout in milliseconds, defaults to 5000ms", import_config.numberParser).option("--timeout-navigation <timeout>", "specify navigation timeout in milliseconds, defaults to 60000ms", import_config.numberParser).option("--user-agent <ua string>", "specify user agent string").option("--user-data-dir <path>", "path to the user data directory. If not specified, a temporary directory will be created.").option("--viewport-size <size>", 'specify browser viewport size in pixels, for example "1280x720"', import_config.resolutionParser.bind(null, "--viewport-size")).addOption(new import_utilsBundle.ProgramOption("--vision", "Legacy option, use --caps=vision instead").hideHelp()).action(async (options) => {
+  command.option("--allowed-hosts <hosts...>", "comma-separated list of hosts this server is allowed to serve from. Defaults to the host the server is bound to. Pass '*' to disable the host check.", import_config.commaSeparatedList).option("--allowed-origins <origins>", "semicolon-separated list of TRUSTED origins to allow the browser to request. Default is to allow all.\nImportant: *does not* serve as a security boundary and *does not* affect redirects. ", import_config.semicolonSeparatedList).option("--allow-unrestricted-file-access", "allow access to files outside of the workspace roots. Also allows unrestricted access to file:// URLs. By default access to file system is restricted to workspace root directories (or cwd if no roots are configured) only, and navigation to file:// URLs is blocked.").option("--blocked-origins <origins>", "semicolon-separated list of origins to block the browser from requesting. Blocklist is evaluated before allowlist. If used without the allowlist, requests not matching the blocklist are still allowed.\nImportant: *does not* serve as a security boundary and *does not* affect redirects.", import_config.semicolonSeparatedList).option("--block-service-workers", "block service workers").option("--browser <browser>", "browser or chrome channel to use, possible values: chrome, firefox, webkit, msedge.").option("--caps <caps>", "comma-separated list of additional capabilities to enable, possible values: vision, pdf.", import_config.commaSeparatedList).option("--cdp-endpoint <endpoint>", "CDP endpoint to connect to.").option("--cdp-header <headers...>", "CDP headers to send with the connect request, multiple can be specified.", import_config.headerParser).option("--config <path>", "path to the configuration file.").option("--console-level <level>", 'level of console messages to return: "error", "warning", "info", "debug". Each level includes the messages of more severe levels.', import_config.enumParser.bind(null, "--console-level", ["error", "warning", "info", "debug"])).option("--device <device>", 'device to emulate, for example: "iPhone 15"').option("--executable-path <path>", "path to the browser executable.").option("--extension", 'Connect to a running browser instance (Edge/Chrome only). Requires the "Playwright MCP Bridge" browser extension to be installed.').option("--grant-permissions <permissions...>", 'List of permissions to grant to the browser context, for example "geolocation", "clipboard-read", "clipboard-write".', import_config.commaSeparatedList).option("--headless", "run browser in headless mode, headed by default").option("--host <host>", "host to bind server to. Default is localhost. Use 0.0.0.0 to bind to all interfaces.").option("--ignore-https-errors", "ignore https errors").option("--init-page <path...>", "path to TypeScript file to evaluate on Playwright page object").option("--init-script <path...>", "path to JavaScript file to add as an initialization script. The script will be evaluated in every page before any of the page's scripts. Can be specified multiple times.").option("--isolated", "keep the browser profile in memory, do not save it to disk.").option("--image-responses <mode>", 'whether to send image responses to the client. Can be "allow" or "omit", Defaults to "allow".', import_config.enumParser.bind(null, "--image-responses", ["allow", "omit"])).option("--no-sandbox", "disable the sandbox for all process types that are normally sandboxed.").option("--output-dir <path>", "path to the directory for output files.").option("--port <port>", "port to listen on for SSE transport.").option("--proxy-bypass <bypass>", 'comma-separated domains to bypass proxy, for example ".com,chromium.org,.domain.com"').option("--proxy-server <proxy>", 'specify proxy server, for example "http://myproxy:3128" or "socks5://myproxy:8080"').option("--save-session", "Whether to save the Playwright MCP session into the output directory.").option("--save-trace", "Whether to save the Playwright Trace of the session into the output directory.").option("--save-video <size>", 'Whether to save the video of the session into the output directory. For example "--save-video=800x600"', import_config.resolutionParser.bind(null, "--save-video")).option("--secrets <path>", "path to a file containing secrets in the dotenv format", import_config.dotenvFileLoader).option("--shared-browser-context", "reuse the same browser context between all connected HTTP clients.").option("--snapshot-mode <mode>", 'when taking snapshots for responses, specifies the mode to use. Can be "incremental", "full", or "none". Default is incremental.').option("--storage-state <path>", "path to the storage state file for isolated sessions.").option("--test-id-attribute <attribute>", 'specify the attribute to use for test ids, defaults to "data-testid"').option("--timeout-action <timeout>", "specify action timeout in milliseconds, defaults to 5000ms", import_config.numberParser).option("--timeout-navigation <timeout>", "specify navigation timeout in milliseconds, defaults to 60000ms", import_config.numberParser).option("--user-agent <ua string>", "specify user agent string").option("--user-data-dir <path>", "path to the user data directory. If not specified, a temporary directory will be created.").option("--viewport-size <size>", 'specify browser viewport size in pixels, for example "1280x720"', import_config.resolutionParser.bind(null, "--viewport-size")).addOption(new import_utilsBundle.ProgramOption("--vision", "Legacy option, use --caps=vision instead").hideHelp()).action(async (options) => {
     (0, import_watchdog.setupExitWatchdog)();
     if (options.vision) {
       console.error("The --vision option is deprecated, use --caps=vision instead");

package/lib/mcp/sdk/server.js

@@ -28,6 +28,7 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var server_exports = {};
 __export(server_exports, {
+  allRootPaths: () => allRootPaths,
   connect: () => connect,
   createServer: () => createServer,
   firstRootPath: () => firstRootPath,
@@ -175,6 +176,20 @@ function firstRootPath(clientInfo) {
     return void 0;
   }
 }
+function allRootPaths(clientInfo) {
+  const paths = [];
+  for (const root of clientInfo.roots) {
+    try {
+      const url = new URL(root.uri);
+      const path = (0, import_url.fileURLToPath)(url);
+      if (path)
+        paths.push(path);
+    } catch (error) {
+      serverDebug(error);
+    }
+  }
+  return paths;
+}
 function mergeTextParts(result) {
   const content = [];
   const testParts = [];
@@ -198,6 +213,7 @@ function mergeTextParts(result) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  allRootPaths,
   connect,
   createServer,
   firstRootPath,

package/lib/mcp/test/plannerTools.js

@@ -62,8 +62,11 @@ const planSchema = import_mcpBundle.z.object({
     tests: import_mcpBundle.z.array(import_mcpBundle.z.object({
       name: import_mcpBundle.z.string().describe("The name of the test"),
       file: import_mcpBundle.z.string().describe('The file the test should be saved to, for example: "tests/<suite-name>/<test-name>.spec.ts".'),
-      steps: import_mcpBundle.z.array(import_mcpBundle.z.string().describe(`The steps to be executed to perform the test. For example: 'Click on the "Submit" button'`)),
-      expectedResults: import_mcpBundle.z.array(import_mcpBundle.z.string().describe("The expected results of the steps for test to verify."))
+      steps: import_mcpBundle.z.array(import_mcpBundle.z.object({
+        perform: import_mcpBundle.z.string().describe(`Action to perform. For example: 'Click on the "Submit" button'.`),
+        expect: import_mcpBundle.z.string().optional().describe(`Expected result of the action where appropriate. For example: 'The page should show the "Thank you for your submission" message'`)
+      })),
+      postConditions: import_mcpBundle.z.array(import_mcpBundle.z.string().describe(`Post conditions to verify that are not covered by the steps. Can be empty`))
     }))
   }))
 });
@@ -118,12 +121,17 @@ const saveTestPlan = (0, import_testTool.defineTestTool)({
         lines.push(`**File:** \`${test.file}\``);
         lines.push(``);
         lines.push(`**Steps:**`);
-        for (let k = 0; k < test.steps.length; k++)
-          lines.push(`  ${k + 1}. ${test.steps[k]}`);
-        lines.push(``);
-        lines.push(`**Expected Results:**`);
-        for (const result of test.expectedResults)
-          lines.push(`  - ${result}`);
+        for (let k = 0; k < test.steps.length; k++) {
+          lines.push(`  ${k + 1}. ${test.steps[k].perform}`);
+          if (test.steps[k].expect?.trim())
+            lines.push(`  ${" ".repeat(String(k + 1).length)}  Expect: ${test.steps[k].expect}`);
+        }
+        if (test.postConditions.length) {
+          lines.push(``);
+          lines.push(`**Post Conditions:**`);
+          for (const postCondition of test.postConditions)
+            lines.push(`  - ${postCondition}`);
+        }
       }
     }
     lines.push(``);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "playwright",
-  "version": "1.58.0-alpha-2025-12-30",
+  "version": "1.58.0-alpha-2026-01-01",
   "description": "A high-level API to automate web browsers",
   "repository": {
     "type": "git",
@@ -64,7 +64,7 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "playwright-core": "1.58.0-alpha-2025-12-30"
+    "playwright-core": "1.58.0-alpha-2026-01-01"
   },
   "optionalDependencies": {
     "fsevents": "2.3.2"