feat: support --allowedOrigins & --blockedOrigins in CLI #232
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
| "puppeteer-core": "24.22.3", | ||
| "yargs": "18.0.0" | ||
| "yargs": "18.0.0", | ||
| "zod": "3.24.1" |
There was a problem hiding this comment.
Build failed in local without zod, so I added. (I wonder if others don't have this issue.)
|
Thanks for the PR. We will review it once we are sure we want to use request interception for this. Request interception has a bunch of drawbacks. Could you please file an issue describing your use case instead so that we can collect the feedback from other users as well? |
This PR adds URL validation functionality to restrict Puppeteer browser navigation to allowed origins.
UrlValidatorclass with allowlist/denylist support using glob patterns--allowedOrigins,--deniedOrigins) to configure URL filteringMotivation
When adopting browser automation MCPs in a corporate environment, it can be a good reason for adoption to restrict accessible origins to deal with security concerns. Flagging on which domains the MCP server can access (e.g. localhost only) prevents unintended navigation to unauthorized or potentially malicious sites while
maintaining safe internal tool usage.