Skip to content

feat: add cookies, localStorage and sessionStorage #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 19 commits into
base: staging
Choose a base branch
from
Open

feat: add cookies, localStorage and sessionStorage #49

wants to merge 19 commits into from

Conversation

thepushkarp
Copy link

@thepushkarp thepushkarp commented Mar 5, 2025
edited
Loading

Hi, while working browser-tools-mcp, I felt that having access to cookies, localstorage, and sessionstorage would aid the agent in debugging errors.

@tedjames let me know your thoughts and if I should make any further changes to this.

Thanks!

Overview of Changes

  • Adds cookies, localStorage, and sessionStorage to the MCP tools
  • Adds Sensitive Data Settings to the Dev Tools Panel to control data security of cookies and local/session storage
  • Adds an .editorconfig file to maintain formatting consistency

MCP Functions introduced

  • mcp_getCookies - Get cookies from the current page
  • mcp_getLocalStorage - Get localStorage data
  • mcp_getSessionStorage - Get sessionStorage data

This comment was updated to reflect the latest changes introduced in this PR based on further discussions.

@tedjames
Copy link
Contributor

tedjames commented Mar 6, 2025

Nice! I was thinking of integrating this as well!! I intentionally did not do this so that users would never send sensitive tokens to an LLM. I'm thinking we could leave this disabled by default and allow it to be configurable in the dev tools panel?

It would also be nice to persist this config to the browser...

On another note, what is everyone's thoughts on the security model for this?

I'm wondering if users opt-in for this, maybe there's a way to "detect" a token in the cookies, local storage and session storage to avoid sending. Then make that a configurable option as well ("include tokens").

Perhaps regex could be a good starting point?

@thepushkarp
Copy link
Author

I'm thinking we could leave this disabled by default and allow it to be configurable in the dev tools panel?

This sounds great! Adding to it, we can have three modes to handle these data in the mcp server, all configurable from the dev tools panel:

  • no access to cookies and local/session storage tools [default]
  • access to cookie and local/storage tools but send no tokens — tokens can be detected and filtered out using a mix of regex (for popular tokens) and entropy techniques
  • access to everything — need to add a disclaimer that enabling this would expose your keys to the llms models

Let me know your thoughts on this 👍

@thepushkarp
add editorconfig for consistent code formatting
66b7fe2
@thepushkarp
feat: Enable access to browser storage (cookies, localStorage, sessio…
9ae43f6 
…nStorage)

- Add the ability to retrieve and analyze cookies, localStorage, and sessionStorage.
- Implement new MCP tools and API endpoints for accessing browser storage data.
- Enhance the Chrome extension to capture browser storage.
@thepushkarp thepushkarp changed the base branch from main to staging March 9, 2025 08:15
@thepushkarp thepushkarp marked this pull request as draft March 9, 2025 18:29
@thepushkarp
fix: remove duplicate code and remove unnecessary formatting fixes
3ba1fbb
@thepushkarp
feat: Add sensitive data filtering and aggressive checking
6a19a9d 
- Introduces settings to control the inclusion of sensitive data.
- Implements filtering for cookies, local storage, and session storage.
- Adds entropy calculation for more aggressive sensitive data checking.
@thepushkarp
feat: Improve sensitive data filtering
9ed497a
@thepushkarp
fix: remove extra sensitive parameter from the cookies response
c719219
@thepushkarp
Copy link
Author

thepushkarp commented Mar 10, 2025
edited
Loading

Hi,

The server and Chrome extension now supports the three data sensitivity settings:

  • Hide All Cookies and Storage (Maximum privacy, no data will be sent to the server) -> default
  • Hide Only Sensitive Data (Sensitive cookies and storage will be filtered out, but other cookies and storage will be sent)
  • Hide Nothing (All data will be sent to the server, including potentially sensitive information)

The "Hide Only Sensitive Data" uses a mix of regex matching for all cookie and storage values along with filtering based on Shannon entropy. On smaller strings, the entropy method might lead to false-positives on some shorter strings, so it is restricted to strings longer than 16 characters.

All of this filtering is handled by the browser extension itself. None of the sensitive data is sent to the server unless the user has selected the "Hide Nothing" option.

Screenshots

Dev Tools Panel

image

getCookies with "Hide All Cookies and Storage" checked

image

getCookies with "Hide Only Sensitive Data" checked

image

getCookies with "Hide Nothing" checked

image

@thepushkarp thepushkarp marked this pull request as ready for review March 10, 2025 10:32
@tedjames
Copy link
Contributor

Wow! Incredible work!! 🙏

I'm pushing out a different release now which has taken some time to prepare. Lets get this in for the next release (maybe this weekend?)

If you don't mind, can you resolve any conflicts we have with staging branch today? Happy to tackle them as well later this week - traveling a bunch right now and it's been difficult to keep up with all the updates/PRs 😅

@thepushkarp
Copy link
Author

Lets get this in for the next release (maybe this weekend?)

Sure thing. I have merged the latest staging branch and have resolved the merge conflicts so we're good on that regard.
Happy travelling!

eltociear and others added 2 commits March 12, 2025 04:08
@tedjames
Copy link
Contributor

tedjames commented Mar 12, 2025
edited
Loading

Nice!!! Amazing :)

Will review within the next few days and get this in for a release next Monday at the latest if all goes well!

@thepushkarp
Copy link
Author

hey @tedjames did you get time to review this feature? lmk if you think we need to change something

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@thepushkarp @tedjames @eltociear @daibogh