The MCP daemon WebSocket server accepts connections on all three
endpoints (/bridge, /cli, /extension) without checking the Origin
header. This allows a malicious web page to open a WebSocket to
ws://127.0.0.1:9223/bridge and send tool calls that execute browser
automation (navigate, click, read page content, take screenshots,
access bookmarks/history).
Add Origin header validation in the HTTP upgrade handler:
- Allow connections with no Origin (Node.js clients: bridge.ts, cli.ts)
- Allow chrome-extension:// and moz-extension:// origins
- Reject all http:// and https:// origins with 403 Forbidden
This prevents cross-site WebSocket hijacking (CSWSH) where JavaScript
on an attacker-controlled page connects to the local daemon.
CWE-319
- Bumped version to 3.1.0 and updated the description to reflect new capabilities.
- Introduced a shared daemon for handling multiple simultaneous clients, improving performance.
- Added new CLI commands and updated the README for better user guidance.
- Enhanced the package.json to include new dependencies and scripts for the daemon and CLI.
- Refactored the bridge architecture to utilize StreamableHTTP for improved communication with AI agents.
These changes significantly enhance the usability and functionality of the MCP bridge.
- Standardized import statements and added semicolons for consistency in `tsup.config.ts` and `bridge.ts`.
- Enhanced type definitions and formatting in `prompt-input.tsx` and `input-area.tsx` for better readability and maintainability.
