WebMCP design fundamentally breaks origin isolation

[earlence-uwm]

I wrote a blogpost about how an attacker can use prompt injections to break origin isolation and cause forced tool execution on a victim page.

https://www.earlence.com/blog.html#/post/webmcp-sameorigin

This requires some serious thinking about WebMCP's security properties.

[domfarolino]

Hi, Chrome engineer here. I read the disclosure section of your block. I assume you have a crbug you can point me to, so I I can get more context on this?

[domfarolino]

/cc @johannhof @jpagnucco

[earlence-uwm]

Here is the buganizer link: https://issues.chromium.org/issues/504689678

[johannhof]

Thank you for doing this work and sharing it. There is quite a lot of thought going into how WebMCP can be secured in practical agent deployments, and how the API itself can support that. Many of the current thoughts are written up here: https://github.com/webmachinelearning/webmcp/blob/main/docs/security-privacy-considerations.md

Ultimately, extensions and same-device agents leveraging the browser to interact with websites via WebMCP have a responsibility to secure themselves against prompt injection. The API can not carry them 100% of the way there, though we should try to make it as easy as possible, of course. An important part of securing each agent is understanding the threat model - is it restricted to trusted content, does it have access to private information, is it an end user product?

In this case, the extension you attacked is a developer tool and includes no specific protections against PI. It is a great example of what can go wrong if we don't add additional security layers, but I believe it is within its threat model as a simple developer demo tool that is not meant to be used by end users.

I'd love to get your thoughts and engagement on the security considerations linked above and other security-related work the CG is doing, but I don't think this issue in itself is actionable, so would suggest closing it.

[earlence-uwm]

Thanks for the thoughtful response. I'll engage with the linked document above.