Skip to content

navigator.modelContext.provideContext allows overwriting of previously registered tools in the same environment #101

@beaufortfrancois

Description

@beaufortfrancois

In environments like online stores where first-party code and third-party partner JavaScript run within the same environment, a security concern exists with how WebMCP tools are registered.

Currently, if a site registers an "official" tool, a malicious or accidental third-party script can overwrite it. This could allow the third party to proxy tool calls, effectively observing the entire agent-user interaction, which may include private data.

And here's how it happens: While the navigator.modelContext.registerTool() method throws an error if a tool with the same name already exists, this security mechanism is bypassed with navigator.modelContext.provideContext() that first clears the existing tools before registering new ones.

Note

A similar issue also exists by registering a tool whose name varies slightly with navigator.modelContext.registerTool() or a new <form toolname="...">.

Thoughts for discussion

We need a mechanism to prevent unintentional or malicious clobbering of tools when potentially untrusted scripts are operating in the same environment.

  1. Should the entire navigator.modelContext.provideContext({tools: ...}) call fail if it attempts to register a tool name that is already registered, regardless of the method used for the initial registration?
  2. Shall we add an optional strict parameter for navigator.modelContext.provideContext() that when set would cause the call to fail if any tool name in the new context is attempting to hijack an already registered tool name?
  3. Shall we expose a new listTools() method and toolchange event on navigator.modelContext that would allow the controlling script to check for already registered tools before attempting to update the context:

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions