feat: support experimental allowlist for navigate tool calls (#1935)

This PR adds an experimental allowlist for the page navigate tool call
(requires `--experimentalNavigationAllowlist`, off by default). The
feature uses a list of URLPatterns to decline navigations that land on
disallowed URLs. If that happens, the client can update the allowlist
and re-try. The purpose of the this feature is to offer additional
guardrails on top of the MCP server. It does not restrict subresources
or JS/iframe navigations in any way. The performance impact is minimized
by turning off interception as soon as the navigation request is done.

Author: OrKoN

package-lock.json

@@ -80,6 +80,7 @@
     "tiktoken": "^1.0.22",
     "typescript": "^6.0.2",
     "typescript-eslint": "^8.43.0",
+    "urlpattern-polyfill": "^10.1.0",
     "yargs": "18.0.0"
   },
   "engines": {

package.json

@@ -180,6 +180,11 @@ export const cliOptions = {
       'Whether to include all kinds of pages such as webviews or background pages as pages.',
     hidden: true,
   },
+  experimentalNavigationAllowlist: {
+    type: 'boolean',
+    describe: 'Whether to enable navigation allowlist tool parameter.',
+    hidden: true,
+  },
   experimentalInteropTools: {
     type: 'boolean',
     describe: 'Whether to enable interoperability tools',

src/bin/chrome-devtools-mcp-cli-options.ts

@@ -130,6 +130,14 @@
     "name": "experimental_memory_present",
     "flagType": "boolean"
   },
+  {
+    "name": "experimental_navigation_allowlist",
+    "flagType": "boolean"
+  },
+  {
+    "name": "experimental_navigation_allowlist_present",
+    "flagType": "boolean"
+  },
   {
     "name": "experimental_page_id_routing",
     "flagType": "boolean"

src/telemetry/flag_usage_metrics.json

@@ -4,6 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
+import 'urlpattern-polyfill';
 import 'core-js/modules/es.promise.with-resolvers.js';
 import 'core-js/modules/es.set.union.v2.js';
 import 'core-js/proposals/iterator-helpers.js';