Clarifying WebMCP's Place in the Machine Readable Web Stack

[admbradford]

Thanks for sharing this proposal. I like the direction. Moving agents from brittle UI actuation toward explicit, app provided tools feels like the right long term shape, especially for human in the loop workflows.

I have some firm opinions loosely held here. I do not think we would adopt WebMCP soon, but I could be convinced. A few questions would help me understand how this fits into the broader web stack and whether it can avoid fragmentation.

First, on overlap with the Semantic Web and existing action semantics:

• One of the original goals of the Semantic Web is machine-readable data and capabilities. There are already established approaches for machine readable meaning and offered actions, including schema.org’s action model (potential actions, entry points, input/output annotations). How do you see WebMCP relating to that ecosystem?
• Is the intent that WebMCP is purely an execution layer and deliberately does not try to model action semantics? If so, is there a recommended mapping or best practice so sites do not have to publish two parallel and potentially divergent descriptions of the same capability?

Second, on security model:

• What is the intended authn/authz and consent model for tool calls? Are calls user scoped, agent scoped or both?
• How are prompt injection, tool metadata poisoning and output injection meant to be handled in a way that is consistent across agent providers and browser vendors?
• Is there an explicit threat model for cross-origin data flow when tool outputs from one site become inputs to another?

Third, on determinism versus interpretation:

• Inputs can be typed via JSON Schema, but are outputs deliberately untyped, or do you expect a standardized output contract to emerge?
• What parts of tool behavior are enforceable versus hint-based (for example, read-only hints)? What can an agent safely rely on?

Finally, on incentive alignment and adoption:

• Who is the adoption wedge here? Browsers, sites, or AI platforms?
• If cross-browser support is uncertain, what is the near-term value proposition for sites to implement WebMCP versus continuing with backend integrations and existing structured metadata?

Appreciate any clarification. I think the UI-present, user controlled workflow goal is compelling. I mainly want to understand how WebMCP coexists with existing machine readable web approaches and how you prevent fragmentation while you scale security and determinism.

[DavidMulder0]

As an outsider:

I am struggling to understand many of your questions, but it seems to me that you're coming at this from the perspective of WebMCP tool execution happening on the server and this being just another way to expose server actions. I believe the point of this is instead the ability of a user to control their own device through their voice. Both Google and Apple have given demos on smartphones where their respective LLM based assistents open and do things in applications. These are things that primarily happen on the client, and might have effects on the server. There is no authentication and authorization model, because the "scope" is the browser. Imagine a user selecting a piece of text in a text editor and saying "hey gemini, make this dark green and big", because they decided that was faster than searching through the menu.

(Having read a couple more issues here... there is a general influx of people here that from my perspective "confuse" the same thing and seem to treat WebMCP as a way to "market" MCP server... so either I am the one who is confused, or the "MCP" branding just is very confusing to people 🤷)

Is there an explicit threat model for cross-origin data flow when tool outputs from one site become inputs to another?

I think the assumption would (initially?) be that the assistent is only able to stuff on the current website (hopefully without any access to "memory"-features, meaning "go to a new site" => new chat). Personally I am inclined to bet that this will long term be an insurmountable problem for "agentic" solutions, and the current "wild west" will be more and more replaced with properly contained "sandboxes".