Skip to content

Releases: notoriouslab/browser-mcp-lite

Release list

v1.0.3

Choose a tag to compare

@notoriouslab notoriouslab released this 02 Apr 05:10

What's New

Anti-Injection Hardening

Security improvements informed by Agent Threat Rules (ATR) — an open detection standard for AI agent threats covering prompt injection, tool poisoning, and MCP attacks.

Accessibility Tree: Improved Hidden Content Filtering

Malicious web pages can hide prompt injection text using techniques invisible to humans but readable by DOM parsers. isVisible() now catches:

  • aria-hidden="true" elements — invisible to assistive tech, commonly used to hide injection payloads
  • font-size < 2px text — invisible to humans, visible to DOM readers
  • Off-screen positioning (position: absolute; left: -9999px) — a classic injection hiding technique
  • Clip-based hiding (clip-path: inset(100%), clip: rect(0,0,0,0)) — zero-area clipping

Accessibility Tree: Zero-Width Character Stripping

Zero-width and bidirectional control characters (U+200B, U+200C, U+FEFF, U+2060, etc.) are now stripped from all text output. These characters are invisible in rendered text but can carry obfuscated injection instructions when processed by LLMs.

inject_script: Risk Annotation

inject_script now analyzes the submitted code for risky patterns before execution. When detected, a warning is prepended to the result:

⚠ RISK: This script uses network request, cookie access. Verify this was intentional.

Detected patterns: fetch(), XMLHttpRequest, sendBeacon, document.cookie, localStorage/sessionStorage, indexedDB, WebSocket, EventSource, window.open, document.write.

This doesn't block execution (the tool's purpose is arbitrary JS), but makes human review more informed — especially important when a prompt injection attempts to trick the LLM into calling inject_script.

README Badges

Added project badges: npm version, MIT license, MCP compatible, Chrome Extension, ~500 lines.


Acknowledgments

Security analysis for this release was informed by the Agent Threat Rules project — specifically rules ATR-2026-002 (Indirect Prompt Injection via External Content), ATR-2026-061 (Skill Description-Behavior Mismatch), and the broader OWASP Agentic Top 10 mapping. If you're building MCP servers or AI agent tools, ATR is worth checking out.

v1.0.2

Choose a tag to compare

@notoriouslab notoriouslab released this 02 Apr 02:22

What's New

Simplified Installation

  • npx browser-mcp-lite — run directly without cloning
  • Auto-setup on first run — token is generated automatically when the server starts, no separate node setup.js step needed
  • Server prints the full token and a ready-to-paste .mcp.json config block on first startup

Installation steps reduced from 5 to 3.

Security Hardening

  • Token is only printed in full on first run; subsequent starts show first 8 characters only
  • focus_tab now checks isRestricted() to prevent focusing on chrome:// internal pages
  • type="hidden" input values (e.g. CSRF tokens) are filtered from accessibility tree output
  • Secrets file permissions enforced to 600 on every startup
  • .mcp.json added to .gitignore to prevent accidental token commits

Internal

  • Shared token module (server/token.js) for consistent token generation/loading