Trust Me, I'm Local: Chrome Extensions, MCP, and the Sandbox Escape

(blog.extensiontotal.com)

by el_duderino

947h ago

24 comments

Comments (24)

telotortium5h ago

Literally nothing here is specific to MCP - it all has to do with the fact that Chrome extensions can make HTTP connections to localhost ports, which could be running any kind of server. This is not an unrestricted backdoor either - Chrome extensions already need permissions in the manifest to talk to localhost, except via content scripts, which run in the context of the website and so could be served by the website without any extension installed.

fluffet5h ago

Woah, I had no idea. Thanks for the article.

I feel like some cycle phenomenon has been reached here..

The first protocols of the internet were very naive. Why'd you need to encrypt traffic? What do you mean exploit DNS, why would anyone do that?

Then people realised that the internet is a really, really wild place and that won't do.

I suddenly feel old, because this new AI tool era seems to have forgotten that lesson.

I feel it's like watching crypto learn by any% speedrunning why regulations and oversight might be a good in the first place (FTX and such).

I hope the next generation of AI tech/protocols are more robust, trust just doesn't cut it, or we'll see plenty of fingers being burnt at the stove.

npace126h ago

I built little-rat (chrome extension) a couple of years ago that can track and block traffic from other extensions:

https://github.com/dnakov/little-rat

OsrsNeedsf2P5h ago

Lots of people think MCP is a case of "wow, how did we forget basic security", but I wonder if there were other competitors that MCP beat _because_ they had security friction.

bhelx3h ago

This is the first i've heard of people using the SSE transport locally. What purpose what that serve? Is this by design because the chrome extension could not talk to it otherwise?

BTW, you should really run your MCP servers in a sandboxed environment, esp if they don't need to do things like `exec` or read from the filesystem. We do this with the https://mcp.run ecosystem by wrapping them in wasm. Because they are wasm you could also run them right in the chrome extension!

brap4h ago

I still don’t understand why we even need a new protocol when we already have something like the OpenAPI spec, which can also be used to describe common authentication mechanisms like OAuth2. And it supports almost every existing API out of the box.

Granted it doesn’t separate between “resources”, “tools” and “prompts” but I think the line is blurry anyway.

And yes it can be used locally.

olalonde1h ago

So do we add authentication to MCP servers or does Chrome fix this by restricting unauthorized calls to localhost?

OsrsNeedsf2P5h ago

https://archive.is/HQMBa

rvz4h ago

Every time a startup uses an MCP server in their product software offering or even offers their own, I can only see the number of security consultants waiting for a massive payout when an LLM causes a security incident.

gitroom1h ago

bruh this stuff honestly makes my head spin - feels like were all relearning the same old security lessons