From 93b31abc21d928440e7c7e1692246ad07d650f9a Mon Sep 17 00:00:00 2001 From: Johann Hofmann Date: Tue, 24 Feb 2026 11:46:37 -0500 Subject: [PATCH 1/4] Add a mitigations section to S&P considerations --- docs/security-privacy-considerations.md | 42 +++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) diff --git a/docs/security-privacy-considerations.md b/docs/security-privacy-considerations.md index 164e95e..e3d0d07 100644 --- a/docs/security-privacy-considerations.md +++ b/docs/security-privacy-considerations.md @@ -37,9 +37,15 @@ These capabilities enable powerful user experiences but also create new risks th - [1. Prompt Injection Attacks](#1-prompt-injection-attacks) - [Metadata / Description Attacks (Tool Poisoning)](#1-metadata--description-attacks-tool-poisoning) - [Output Injection Attacks](#2-output-injection-attacks) + - [Tool Implementation as Attack Targets](#3-tool-implementation-as-attack-targets) - [2. Misrepresentation of Intent](#2-misrepresentation-of-intent) - [3. Privacy Leakage Through Over-Parameterization](#3-privacy-leakage-through-over-parameterization) - [Open Questions for Discussion](#open-questions-for-discussion) +- [Mitigations](#mitigations) +- [Proposed Mitigations](#proposed-mitigations) + - [Consider restricting maximum input lengths](#consider-restricting-maximum-input-lengths) + - [Proposal: Treat hidden and visible elements in declarative MCP differently](#proposal-treat-hidden-and-visible-elements-in-declarative-mcp-differently) + - [Supporting interoperable probabilistic defense structures through shared attack eval datasets](#supporting-interoperable-probabilistic-defense-structures-through-shared-attack-eval-datasets) - [Next Steps](#next-steps) - [References](#references) @@ -155,7 +161,9 @@ navigator.modelContext.registerTool({ Websites exposing valuable functionality through WebMCP tools can themselves become targets for attacks. -- **Threat Actor**: Malicious actors who gain control of agents with access to WebMCP tools +- **Threat Actors**: + - Malicious websites creating WebMCP tools + - Malicious actors influencing website content (e.g., untrusted user-generated content on platforms like Reddit, forums, review sites) - **Target**: Websites implementing valuable or sensitive WebMCP tools - **Assets at Risk**: - High-value actions exposed by the tool (e.g., database access, transactions) @@ -335,6 +343,36 @@ To advance the security and privacy posture of WebMCP, we need community input o - Should some tool categories require elevated permissions or review processes? - Related: [Issue #44 - Action-specific permission](https://github.com/webmachinelearning/webmcp/issues/44) +## Mitigations + +### Proposed Mitigations + +#### [Consider restricting maximum input lengths](https://github.com/webmachinelearning/webmcp/issues/73) + +**What:** Restrict the maximum amount of characters + +**Threats addressed:** Metadata / Description Attacks (Tool Poisoning) + +**How:** This restriction would not fully solve prompt injection attacks but helps shrink the possible universe of attacks, preventing longer prompts that leverage e.g. repetition and [sockpuppeting](https://arxiv.org/pdf/2601.13359) to convince agents of malicious tasks. + +#### [Proposal: Treat hidden and visible elements in declarative MCP differently](https://github.com/webmachinelearning/webmcp/issues/95) + +**What:** Potentially restrict filling out hidden elements in declarative WebMCP + +**Threats addressed:** Over-Parameterization through the declarative API + +**How:** By ensuring that the user sees all the content before it gets submitted + +#### [Supporting interoperable probabilistic defense structures through shared attack eval datasets](https://github.com/webmachinelearning/webmcp/issues/106) + +**What:** Shared evals for prompt injection attacks against WebMCP + +**Threats addressed:** Prompt Injection Attacks (potentially Privacy Leakage Through Over-Parameterization) + +**How:** Ensuring an interoperable basis for prompt injection defense, by requiring any implementer to protect against at least the attacks in that dataset + +... add more issues here + ## Next Steps This document is intended to spark discussion and collaboration on WebMCP security and privacy considerations. We invite the community to: @@ -352,4 +390,4 @@ This document is intended to spark discussion and collaboration on WebMCP securi ## Acknowledgment -This document was initially drafted based on discussion points from [Victor Huang](https://github.com/victorhuangwq), [Khushal Sagar](https://github.com/khushalsagar), [Johann Hofmann](https://github.com/johannhof), [Emily Lauber](https://github.com/EmLauber), [Dave Risney](https://github.com/david-risney), [Luis Flores](https://github.com/lflores-ms), and [Andrew Nolan](https://github.com/annolanmsft). \ No newline at end of file +This document was initially drafted based on discussion points from [Victor Huang](https://github.com/victorhuangwq), [Khushal Sagar](https://github.com/khushalsagar), [Johann Hofmann](https://github.com/johannhof), [Emily Lauber](https://github.com/EmLauber), [Dave Risney](https://github.com/david-risney), [Luis Flores](https://github.com/lflores-ms), and [Andrew Nolan](https://github.com/annolanmsft). From f56be1d59b1d8a4060239176e1a965c41c459329 Mon Sep 17 00:00:00 2001 From: Johann Hofmann Date: Tue, 24 Feb 2026 11:49:53 -0500 Subject: [PATCH 2/4] Remove accidental change --- docs/security-privacy-considerations.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/security-privacy-considerations.md b/docs/security-privacy-considerations.md index e3d0d07..6d9213c 100644 --- a/docs/security-privacy-considerations.md +++ b/docs/security-privacy-considerations.md @@ -161,9 +161,7 @@ navigator.modelContext.registerTool({ Websites exposing valuable functionality through WebMCP tools can themselves become targets for attacks. -- **Threat Actors**: - - Malicious websites creating WebMCP tools - - Malicious actors influencing website content (e.g., untrusted user-generated content on platforms like Reddit, forums, review sites) +- **Threat Actor**: Malicious actors who gain control of agents with access to WebMCP tools - **Target**: Websites implementing valuable or sensitive WebMCP tools - **Assets at Risk**: - High-value actions exposed by the tool (e.g., database access, transactions) From dc2f99d805723e81462d6e2ffecdcf8aa9f7d897 Mon Sep 17 00:00:00 2001 From: Johann Hofmann Date: Thu, 26 Feb 2026 20:09:30 -0500 Subject: [PATCH 3/4] Remove section --- docs/security-privacy-considerations.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/docs/security-privacy-considerations.md b/docs/security-privacy-considerations.md index 6d9213c..f5d0c2f 100644 --- a/docs/security-privacy-considerations.md +++ b/docs/security-privacy-considerations.md @@ -353,14 +353,6 @@ To advance the security and privacy posture of WebMCP, we need community input o **How:** This restriction would not fully solve prompt injection attacks but helps shrink the possible universe of attacks, preventing longer prompts that leverage e.g. repetition and [sockpuppeting](https://arxiv.org/pdf/2601.13359) to convince agents of malicious tasks. -#### [Proposal: Treat hidden and visible elements in declarative MCP differently](https://github.com/webmachinelearning/webmcp/issues/95) - -**What:** Potentially restrict filling out hidden elements in declarative WebMCP - -**Threats addressed:** Over-Parameterization through the declarative API - -**How:** By ensuring that the user sees all the content before it gets submitted - #### [Supporting interoperable probabilistic defense structures through shared attack eval datasets](https://github.com/webmachinelearning/webmcp/issues/106) **What:** Shared evals for prompt injection attacks against WebMCP From 1ffeb6a601ac885a0063d937b0fa00e147deabff Mon Sep 17 00:00:00 2001 From: Johann Hofmann Date: Thu, 26 Feb 2026 20:10:01 -0500 Subject: [PATCH 4/4] Also remove ToC entry --- docs/security-privacy-considerations.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/security-privacy-considerations.md b/docs/security-privacy-considerations.md index f5d0c2f..e20ae25 100644 --- a/docs/security-privacy-considerations.md +++ b/docs/security-privacy-considerations.md @@ -44,7 +44,6 @@ These capabilities enable powerful user experiences but also create new risks th - [Mitigations](#mitigations) - [Proposed Mitigations](#proposed-mitigations) - [Consider restricting maximum input lengths](#consider-restricting-maximum-input-lengths) - - [Proposal: Treat hidden and visible elements in declarative MCP differently](#proposal-treat-hidden-and-visible-elements-in-declarative-mcp-differently) - [Supporting interoperable probabilistic defense structures through shared attack eval datasets](#supporting-interoperable-probabilistic-defense-structures-through-shared-attack-eval-datasets) - [Next Steps](#next-steps) - [References](#references)