Add security and privacy questionnaire#195
Draft
victorhuangwq wants to merge 5 commits into
Draft
Conversation
domfarolino
reviewed
May 30, 2026
|
|
||
| WebMCP exposes author-defined tool metadata and tool return values to the user agent. It does not expose new information about the user or their environment to origins. | ||
|
|
||
| Cross-origin iframes may discover these tools only if the tool author explicitly opts in via `exposedTo`. |
Collaborator
There was a problem hiding this comment.
|
|
||
| > 01. What information does this feature expose, and for what purposes? | ||
|
|
||
| WebMCP exposes author-defined tool metadata and tool return values to the user agent. It does not expose new information about the user or their environment to origins. |
Collaborator
There was a problem hiding this comment.
Suggested change
| WebMCP exposes author-defined tool metadata and tool return values to the user agent. It does not expose new information about the user or their environment to origins. | |
| WebMCP exposes author-defined tool metadata and tool return values to the built-in AI agent. It does not expose new information about the user or their environment to origins. |
|
|
||
| > 02. Do features in your specification expose the minimum amount of information necessary to implement the intended functionality? | ||
|
|
||
| Yes. The API surface exposes only what is necessary for agents to discover and invoke tools. The information that flows through tool parameters and return values is entirely scoped to what the author declares. |
Collaborator
There was a problem hiding this comment.
Suggested change
| Yes. The API surface exposes only what is necessary for agents to discover and invoke tools. The information that flows through tool parameters and return values is entirely scoped to what the author declares. | |
| Yes. The API surface exposes only what is necessary for agents to discover and invoke tools. The information that flows through tool metadata like parameters and annotations, as well as tool return values, is entirely scoped to what the author declares. |
|
|
||
| > 03. Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either? | ||
|
|
||
| No, the API itself does not expose PII. |
Collaborator
There was a problem hiding this comment.
Suggested change
| No, the API itself does not expose PII. | |
| No, the API itself does not expose PII, but the tools that authors choose to implement _can_, depending on their nature. |
|
|
||
| No, the API itself does not expose PII. | ||
|
|
||
| We note a novel challenge for agent implementors: malicious tools can request a non-minimal set of personal data via their input parameters, causing privacy leakage. See [Privacy Leakage through Over-Parameterization](https://w3c.github.io/webmcp/#privacy-leakage-over-parameterization) for details. WebMCP does not increase the attack vector compared to tools in non-WebMCP contexts, but implementors should be aware that this risk exists. |
Collaborator
There was a problem hiding this comment.
Suggested change
| We note a novel challenge for agent implementors: malicious tools can request a non-minimal set of personal data via their input parameters, causing privacy leakage. See [Privacy Leakage through Over-Parameterization](https://w3c.github.io/webmcp/#privacy-leakage-over-parameterization) for details. WebMCP does not increase the attack vector compared to tools in non-WebMCP contexts, but implementors should be aware that this risk exists. | |
| We note a novel challenge for agent implementers: malicious tools can request a non-minimal set of personal data via their input parameters, causing privacy leakage. See [Privacy Leakage through Over-Parameterization](https://w3c.github.io/webmcp/#privacy-leakage-over-parameterization) for details. WebMCP does not increase the attack vector compared to tools in non-WebMCP contexts, but agent implementers should be aware that this risk exists. |
small nit: https://whatwg.org/style-guide#dictionary
|
|
||
| > 10. Do features in this specification enable new script execution/loading mechanisms? | ||
|
|
||
| No. Tool `execute` callbacks are ordinary JavaScript invoked in the registering document's existing realm. |
Collaborator
There was a problem hiding this comment.
Suggested change
| No. Tool `execute` callbacks are ordinary JavaScript invoked in the registering document's existing realm. | |
| No. Tool [`execute`](https://webmachinelearning.github.io/webmcp/#dom-modelcontexttool-execute) callbacks are ordinary JavaScript invoked in the registering document's existing realm. |
If we keep this answer, I have the suggestion above. However, I think there's a chance we might want to say "Yes" to this question, since we're basically introducing a structured postMessage() v2, which allows a set of authorized origins to basically directly schedule callbacks in the tool provider's realm, which is kind of "new" on the platform. Since this is relevant to the TAG review we'll file, let me just ask @jyasskin directly: what do you think our answer should be for this question?
|
|
||
| > 14. How does this specification distinguish between behavior in first-party and third-party contexts? | ||
|
|
||
| The feature is gated by Permissions Policy `"tools"`. It is allowed in top-level documents and same-origin descendants by default; Permissions Policy can be used to allow it in cross-origin iframes and/or to disallow it in same-origin frames. |
Collaborator
There was a problem hiding this comment.
Suggested change
| The feature is gated by Permissions Policy `"tools"`. It is allowed in top-level documents and same-origin descendants by default; Permissions Policy can be used to allow it in cross-origin iframes and/or to disallow it in same-origin frames. | |
| The feature is gated by the [`"tools"`](https://webmachinelearning.github.io/webmcp/#permissiondef-tools) permission policy. It is allowed in top-level documents and same-origin descendants by default; The permission policy can be used to allow it in cross-origin iframes and/or to disallow it in same-origin frames. |
|
|
||
| The feature is gated by Permissions Policy `"tools"`. It is allowed in top-level documents and same-origin descendants by default; Permissions Policy can be used to allow it in cross-origin iframes and/or to disallow it in same-origin frames. | ||
|
|
||
| Additionally, tools can specify `exposedTo` to control which origins (or `native-agents`, name to be bikeshed per [#179](https://github.com/webmachinelearning/webmcp/pull/179)) can discover them. |
Collaborator
There was a problem hiding this comment.
Link to exposedTo again.
|
|
||
| > 18. What happens when a document that uses your feature is kept alive in BFCache (instead of getting destroyed) after navigation, and potentially gets reused on future navigations back to the document? | ||
|
|
||
| A BFCached document's registered tools remain in memory. While the document is non-fully-active, agents cannot invoke its tools or deliver events to it. On restoration, registered tools become available again. |
Collaborator
There was a problem hiding this comment.
Also add a note about how a document cannot register tools while in the bfcache, nor can it retrieve the list of tools available to it.
|
|
||
| > 19. What happens when a document that uses your feature gets disconnected? | ||
|
|
||
| A disconnected document's tools are no longer discoverable or invokable by agents. Pending tool invocations associated with the document are abandoned. |
Collaborator
There was a problem hiding this comment.
This is not spec'd yet, so let's make a note that this will be the case, but the spec needs to catch up. And let's clarify that "abandoned" means that:
- In-page agents: the caller's Promise will be rejected
- Built-in agents: the agent will be notified that the tool call failed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses #193
cc: @bwalderman @johannhof @domfarolino