Breaking origin isolation without breaking the browser

30 views

Skip to first unread message

Earlence Fernandes

unread,

Apr 30, 2026, 11:38:58 PM (5 days ago) Apr 30

to Chrome Built-in AI Early Preview Program Discussions

I'm a security researcher and wrote this blog post about how WebMCP will break origin isolation on the web. Thoughts/feedback welcome!

https://www.earlence.com/blog.html#/post/webmcp-sameorigin

Note: this was appropriately disclosed to the webmcp team head of publication.

-Earlence

Thomas Steiner

unread,

May 4, 2026, 5:14:02 AM (yesterday) May 4

to Earlence Fernandes, Chrome Built-in AI Early Preview Program Discussions

Thank you, Earlence! For posterity, this was dealt with, see the comment thread on GitHub, especially this comment.

Cheers,

Tom

--
You received this message because you are subscribed to the Google Groups "Chrome Built-in AI Early Preview Program Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chrome-ai-dev-previe...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chrome-ai-dev-preview-discuss/376c48f3-98d7-4c3a-a251-efc53856a76an%40chromium.org.

Thomas Steiner, PhD—Developer Relations Engineer (blog.tomayac.com, toot.cafe/@tomayac)

Google Spain, S.L.U.

Torre Picasso, Pl. Pablo Ruiz Picasso, 1, Tetuán, 28020 Madrid, Spain

CIF: B63272603

Inscrita en el Registro Mercantil de Madrid, sección 8, Hoja M-435397 Tomo 24227 Folio 25

----- BEGIN PGP SIGNATURE -----

Version: GnuPG v2.4.8 (GNU/Linux)

iFy0uwAntT0bE3xtRa5AfeCheCkthAtTh3reSabiGbl0ck

0fjumBl3DCharaCTersAttH3b0ttom.xKcd.cOm/1181.

----- END PGP SIGNATURE -----

Reply all

Reply to author

Forward

0 new messages