Skip to content

11. Secret-free, PII-redacted MCP browsing-state bridge

Context

An AI agent can use live browsing context — what the user is doing right now, whether they visited a site — but browser evidence is dense with secrets. URLs carry OAuth codes, password-reset tokens, and API keys in their query strings; titles and search terms carry emails and secrets; cookies and the login-data store hold credentials outright. Exposing any of that to a model would leak the user's secrets to a third party.

Decision

Expose a narrow MCP server, browser-forensic-mcp, built as two walls. The primary wall is structural: the server depends only on the history and discovery readers and never calls a cookie, password, or autofill reader, so secrets are never read in the first place. The second wall is redaction defense-in-depth: URLs are reduced to scheme://host/path (dropping the query and fragment where tokens live) and free text is masked for emails and long token-like substrings. The surface is bounded — three tools (browsing_context, did_user_visit, list_browsers), each allow-listed and capped, with no unbounded history dump — and every free-text field is tagged untrusted_evidence: true so the agent does not treat evidence as instructions.

Consequences

An agent gets bounded, allow-listed browsing context with the secret classes structurally unreachable, not merely filtered. The bound is deliberately tight: the three shipped tools are a subset of what was scoped, and widening the surface is a deliberate future step, not a default. The untrusted_evidence tagging guards against prompt injection through artifact content.

Status

Accepted.