Releases: notoriouslab/browser-mcp-lite
Release list
v1.0.3
What's New
Anti-Injection Hardening
Security improvements informed by Agent Threat Rules (ATR) — an open detection standard for AI agent threats covering prompt injection, tool poisoning, and MCP attacks.
Accessibility Tree: Improved Hidden Content Filtering
Malicious web pages can hide prompt injection text using techniques invisible to humans but readable by DOM parsers. isVisible() now catches:
aria-hidden="true"elements — invisible to assistive tech, commonly used to hide injection payloadsfont-size < 2pxtext — invisible to humans, visible to DOM readers- Off-screen positioning (
position: absolute; left: -9999px) — a classic injection hiding technique - Clip-based hiding (
clip-path: inset(100%),clip: rect(0,0,0,0)) — zero-area clipping
Accessibility Tree: Zero-Width Character Stripping
Zero-width and bidirectional control characters (U+200B, U+200C, U+FEFF, U+2060, etc.) are now stripped from all text output. These characters are invisible in rendered text but can carry obfuscated injection instructions when processed by LLMs.
inject_script: Risk Annotation
inject_script now analyzes the submitted code for risky patterns before execution. When detected, a warning is prepended to the result:
⚠ RISK: This script uses network request, cookie access. Verify this was intentional.
Detected patterns: fetch(), XMLHttpRequest, sendBeacon, document.cookie, localStorage/sessionStorage, indexedDB, WebSocket, EventSource, window.open, document.write.
This doesn't block execution (the tool's purpose is arbitrary JS), but makes human review more informed — especially important when a prompt injection attempts to trick the LLM into calling inject_script.
README Badges
Added project badges: npm version, MIT license, MCP compatible, Chrome Extension, ~500 lines.
Acknowledgments
Security analysis for this release was informed by the Agent Threat Rules project — specifically rules ATR-2026-002 (Indirect Prompt Injection via External Content), ATR-2026-061 (Skill Description-Behavior Mismatch), and the broader OWASP Agentic Top 10 mapping. If you're building MCP servers or AI agent tools, ATR is worth checking out.
v1.0.2
What's New
Simplified Installation
npx browser-mcp-lite— run directly without cloning- Auto-setup on first run — token is generated automatically when the server starts, no separate
node setup.jsstep needed - Server prints the full token and a ready-to-paste
.mcp.jsonconfig block on first startup
Installation steps reduced from 5 to 3.
Security Hardening
- Token is only printed in full on first run; subsequent starts show first 8 characters only
focus_tabnow checksisRestricted()to prevent focusing onchrome://internal pagestype="hidden"input values (e.g. CSRF tokens) are filtered from accessibility tree output- Secrets file permissions enforced to
600on every startup .mcp.jsonadded to.gitignoreto prevent accidental token commits
Internal
- Shared token module (
server/token.js) for consistent token generation/loading