HackerTrans
TopNewTrendsCommentsPastAskShowJobs

guard402

no profile record

comments

guard402
·4 ay önce·discuss
We tested this systematically and the results are more nuanced than you might expect.

We built a hotel listing page with a display:none injection ($189 listing with a hidden override to book $4,200) and tested six DOM extraction APIs via Chrome CDP. The split: innerText, Chrome Accessibility Tree, and Playwright's ARIA snapshot all filter it. textContent, innerHTML, and direct querySelector don't.

Then we audited the source code of all four major browser MCP tools: chrome-devtools-mcp (Google), playwright-mcp (Microsoft), chrome-cdp-skill, and puppeteer-mcp. Every single one defaults to a safe extraction method — accessibility tree or innerText. That's the good news.

The bad news: three out of four expose evaluate_script or eval commands that let the agent run arbitrary JS in the page context. When the accessibility tree doesn't return enough text (it often only gives headings and buttons), the agent's natural next step is textContent or innerHTML via eval. This is even shown as an example in the chrome-devtools-mcp docs.

Also: display:none is just the simplest technique. We tested opacity:0, font-size:0, and position:absolute left:-9999px — all three bypass even the safe defaults because the elements are technically "rendered" and accessible to screen readers. A determined attacker who knows you're using the accessibility tree can trivially switch to opacity-based hiding.
guard402
·4 ay önce·discuss
Interesting approach to a real problem. One thing worth considering: the content entering the context window isn't always trusted, and compression may interact with that in non-obvious ways.

If an agent reads external web pages via MCP, the "context" can contain hidden prompt injections — display:none divs, zero-width Unicode characters, opacity:0 text. We tested six DOM extraction APIs against a hidden injection and found that textContent and innerHTML expose it while innerText and the accessibility tree filter it.

The concern with compressing before scanning: if you compress untrusted external content alongside trusted system instructions, you're mixing adversarial input with your prompt before any inspection happens. An injection that says "ignore all previous instructions" gets compressed right next to the actual instructions. At that point, even if you scan the compressed output, the boundary between trusted and untrusted content is gone.

A scan-then-compress pipeline (or at minimum, compressing trusted and untrusted content in separate passes) would preserve the ability to detect injections before they get interleaved with system context.
guard402
·4 ay önce·discuss
[flagged]
guard402
·4 ay önce·discuss
We tested this — the default take_snapshot path (Accessibility.getFullAXTree) is safe. It filters display:none elements because they're excluded from the accessibility tree.

But evaluate_script is the escape hatch. If an agent runs document.body.textContent instead of using the AX tree, hidden injections in display:none divs show up in the output. innerText is safe (respects CSS visibility), textContent is not (returns all text nodes regardless of styling).

The gap: the agent decides which extraction method to use, not the user. When the AX tree doesn't return enough text, a plausible next step is evaluate_script with textContent — which is even shown as an example in the docs.

Also worth noting: opacity:0 and font-size:0 bypass even the safe defaults. The AX tree includes those because the elements are technically 'rendered' and accessible to screen readers. display:none is just the most common hiding technique, not the only one.