fix(extension): require borrowing before tab access#15
Open
NianJiuZst wants to merge 4 commits into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What problem this solves
BrowserSkill promises that an existing user tab must be explicitly borrowed before the agent touches it. The write-oriented handlers already enforce that boundary, but the shared explicit
tab_idresolver treated every normal user window as visible to the active session.That meant an agent could list user tabs, take a tab id, and call observation tools such as
snapshot,get-html,screenshot, orconsolewithout showing the borrow confirmation or moving the tab into the Agent Window. The same resolver is also used by evaluate, wait, navigation, human-loop, and interaction handlers, so the inconsistency existed at the common authorization boundary rather than in one isolated command.This was especially risky for already-authenticated pages because a read-only command could expose page content before the user had granted per-tab access. Existing tests encoded the old behavior by expecting screenshot and console access to succeed against a tab in a regular user window.
How this fixes it
The shared target resolver now requires every explicit tab to belong to the current session's Agent Window. A pre-existing user tab becomes eligible only after
tab_borrowmoves it into that window. Tabs owned by another session continue to returnnot_found, so this change does not weaken cross-session isolation or reveal another session's window membership.The resolver returns the existing structured
permission_denied/agent_window_scopeerror for an ordinary user tab. This gives callers a consistent, actionable explanation: borrow the tab before reading or interacting with it.Tests now cover both sides of the boundary:
User impact
Agents can still discover user tabs through
tab listso they can identify a borrow target, but they cannot inspect page content until the user-approved borrow flow completes. Agent-created tabs and already-borrowed tabs continue to work because both live in the session's Agent Window.This aligns runtime behavior with the README and privacy-policy promise that pre-existing tabs stay outside agent control until explicitly borrowed.
Validation
corepack pnpm --filter @browser-skill/extension test -- src/tools/__tests__/shared.test.ts src/tools/__tests__/observation.test.ts src/tools/__tests__/console.test.tscorepack pnpm --filter @browser-skill/extension compilegit diff --checkCI Baseline Compatibility
This branch also carries the one-line Biome 2.4 formatter output for
apps/extension/vitest.config.ts. The same formatting mismatch currently fails the Frontend job onupstream/main; this minimal compatibility commit is intentionally separate from the functional fix and lets this PR run the repository CI suite to completion.CI Reliability Follow-up
GitHub Actions exposed a pre-existing test-only port allocation race: integration helpers probed an ephemeral port, released it, and then asked the daemon to bind the same number, allowing another process to claim it in between. The resulting
Address already in usefailure was unrelated to the functional changes. The PR now lets each daemon bind port0directly and reads the assigned address from its handle, removing the TOCTOU window across all affected integration helpers.