External MCP Client API / Permissions

[jasonjmcghee]

I haven't yet seen discussions around external MCP clients (outside of the browser context).

(Please let me know if I missed something in the current specification or subsequent discussions)

I could imagine users wanting to use their normal mcp client, like Claude Desktop / Code, Copilot, Cursor, etc. to interface with WebMCP.

The security model is clearly different than self-contained and prone to all the same attack vectors like prompt injection etc, and likely more dangerous due to potentially pre-approved commands etc.

All that being said, external permissions, e.g. webcam, microphone, etc are not unheard of in the browser.

Just wanted to bring this up- is this a goal or anti-goal of the proposal in its current form?

[bwalderman]

The proposal in its current form is more concerned with how a page (or service worker?) exposes tools to the browser for making available to agents. It's less clear about exactly how the browser does that since agents can take many forms. These are some examples:

• 1st-party in-browser agent: Tools from the page could be exposed to the in-browser agent through browser-specific internal APIs. Since the browser and agent UX are tightly integrated, there's lots of flexibility for how to prompt the user for permission. The user could be prompted inline in the agent's conversation area, or through a normal permission dialog as is done with webcam, mic, etc.

• 3rd-party in-browser agent: These would likely be implemented as browser extensions, so it would make sense to add browser extension APIs for listing/executing the tools on a given tab. Permissions could be governed by an extension's manifest.

• External desktop agents: This may be an LLM-based tool like Claude or Copilot, or perhaps an assistive tool or OS feature that wants to use WebMCP alongside the page's ARIA/accessibility tree for interaction. Some sort of external connection would be needed so the desktop agent can communicate with a browser process. For example, a native app might have a browser extension component and communicate via native app messaging (like MCP-B). This is the riskiest option since it potentially opens up a malicious page to the full power of a user's PC. I'm not sure how to enable something like this safely, but it's definitely something under consideration.

[jasonjmcghee]

This is the riskiest option since it potentially opens up a malicious page to the full power of a user's PC. I'm not sure how to enable something like this safely, but it's definitely something under consideration.

Yup - Even if it's not in the native proposal, I think it's definitely worth this being a visible thing. The security implications need to be carefully considered regardless, but the external desktop agent scenario especially.

Happy to close if you think this is "resolved" in its current state.

[MiguelsPizza]

I'm not sure how to enable something like this safely, but it's definitely something under consideration.

Perhaps we could write custom MCP transports over the Chrome DevTools Protocol? That way webMCP tools are only exposed to the desktop during explicit browser automation/testing tasks:

google-chrome \
  --remote-debugging-port=9222 \
  --enable-mcp-over-cdp \
  --mcp-permissions="prompt" \
  --mcp-allowed-domains="localhost,*.github.com"

The risk of something like MCP-B's native bridge is you might forget you have the MCP-B local MCP proxy connected to your editor/MCP host. It silently collects tools from all tabs your have open, and you might not even be aware that a malicious website is prompt injecting your editor session. (We are disabling it in the non-dev version for this reason)

Would this sort of thing be in scope for a browser api @bwalderman ? the server transport could be built into the browser but I'm not sure how we would handle the client transport since it potentially lives outside of the browser.

[bvandersloot-mozilla]

Perhaps we could write custom MCP transports over the Chrome DevTools Protocol?

Or perhaps WebDriver BiDi?

[bwalderman]

Protocols for connecting external agents were discussed a while back. There was a resolution to favor high-level hooks for listing/executing tools as opposed to implementing a raw MCP transport on top of debugging/testing protocols like WebDriver and CDP.

For WebDriver BiDi and CDP, this would mean adding a new WebMCP module/domain respectively, with commands and events for:

• listTools
• executeTool
• toolsChanged
• toolCalled

This way, WebMCP tools are surfaced as a first-class concept in these debugging and testing protocols; in keeping with how these protocols are currently designed. It also avoids tight coupling between these protocols and MCP. Developers that want to build WebMCP/MCP bridges would still be able to do so by building an MCP transport on top of these new commands/events.