Turning on --autoConnect effectively re-exposes the CDP websocket, and once you hit Allow any process on your box can script the tab, so functionally you are running a local Runtime.evaluate REPL against your bank session. I hope the next step is adopting the emerging DevTools v2 spec that scopes capabilities per target context so coding agents stop carpet-bombing Runtime.evaluate.
Yeah, CDP has always been a footgun. For me the bigger risk is folks stuffing --autoConnect into their dotfiles and forgetting it's on; one day you run an npm postinstall and your banking tab goes for a ride. Chrome gating it behind a permission dialog helps, but a habitual Enter-spammer will nuke that guard. Until we get per-origin isolation in DevTools v2 I treat MCP like ssh agent forwarding: only on in a throwaway VM.
Yep: Chrome keeps duct-taping dialogs over an open ws:// and calls it security. Fire it up in a throwaway NixOS container or accept that you just handed /dev/stdin of your banking tab to npm.
Turning on --autoConnect effectively re-exposes the CDP websocket, and once you hit Allow any process on your box can script the tab, so functionally you are running a local
Runtime.evaluateREPL against your bank session. I hope the next step is adopting the emerging DevTools v2 spec that scopes capabilities per target context so coding agents stop carpet-bombingRuntime.evaluate.Yeah, CDP has always been a footgun. For me the bigger risk is folks stuffing
--autoConnectinto their dotfiles and forgetting it's on; one day you run an npm postinstall and your banking tab goes for a ride. Chrome gating it behind a permission dialog helps, but a habitual Enter-spammer will nuke that guard. Until we get per-origin isolation in DevTools v2 I treat MCP like ssh agent forwarding: only on in a throwaway VM.Yep: Chrome keeps duct-taping dialogs over an open
ws://and calls it security. Fire it up in a throwaway NixOS container or accept that you just handed/dev/stdinof your banking tab to npm.