MCPcopy Index your code
hub / github.com/garrytan/gstack / assertJsOriginAllowed

Function assertJsOriginAllowed

browse/src/read-commands.ts:185–209  ·  view source on GitHub ↗

* When cookies have been imported for specific domains, block JS execution * on pages whose origin doesn't match any imported cookie domain. * Prevents cross-origin cookie exfiltration via `js document.cookie` or * similar when the agent navigates to an untrusted page.

(bm: BrowserManager, pageUrl: string)

Source from the content-addressed store, hash-verified

183 * similar when the agent navigates to an untrusted page.
184 */
185function assertJsOriginAllowed(bm: BrowserManager, pageUrl: string): void {
186 if (!bm.hasCookieImports()) return;
187
188 let hostname: string;
189 try {
190 hostname = new URL(pageUrl).hostname;
191 } catch {
192 return; // about:blank, data: URIs — allow (no cookies at risk)
193 }
194
195 const importedDomains = bm.getCookieImportedDomains();
196 const allowed = [...importedDomains].some(domain => {
197 // Exact match or subdomain match (e.g., ".github.com" matches "api.github.com")
198 const normalized = domain.startsWith('.') ? domain : '.' + domain;
199 return hostname === domain.replace(/^\./, '') || hostname.endsWith(normalized);
200 });
201
202 if (!allowed) {
203 throw new Error(
204 `JS execution blocked: current page (${hostname}) does not match any cookie-imported domain. ` +
205 `Imported cookies for: ${[...importedDomains].join(', ')}. ` +
206 `This prevents cross-origin cookie exfiltration. Navigate to an imported domain or run without imported cookies.`
207 );
208 }
209}
210
211export async function handleReadCommand(
212 command: string,

Callers 1

handleReadCommandFunction · 0.85

Calls 2

hasCookieImportsMethod · 0.80

Tested by

no test coverage detected