Implement url allowlist and blocklist

Author: Natallia Harshunova

src/bin/chrome-devtools-mcp-cli-options.ts

@@ -210,6 +210,17 @@ export const cliOptions = {
     describe:
       'Additional arguments for Chrome. Only applies when Chrome is launched by chrome-devtools-mcp.',
   },
+  blocklist: {
+    type: 'array',
+    describe:
+      'URL patterns to block access to. Uses standard URLPattern API. Cannot be used with --blocklist',
+  },
+  allowlist: {
+    type: 'array',
+    describe:
+      'URL patterns to allow access to (blocks everything else). Uses standard URLPattern API. Cannot be used with --blocklist.',
+    conflicts: ['blocklist'],
+  },
   ignoreDefaultChromeArg: {
     type: 'array',
     describe:

src/browser.ts

@@ -51,6 +51,8 @@ export async function ensureBrowserConnected(options: {
   channel?: Channel;
   userDataDir?: string;
   enableExtensions?: boolean;
+  blocklist?: string[];
+  allowlist?: string[];
 }) {
   const {channel, enableExtensions} = options;
   if (browser?.connected) {
@@ -61,6 +63,8 @@ export async function ensureBrowserConnected(options: {
     targetFilter: makeTargetFilter(enableExtensions),
     defaultViewport: null,
     handleDevToolsAsPage: true,
+    blocklist: options.blocklist,
+    allowlist: options.allowlist,
   };
 
   let autoConnect = false;
@@ -150,6 +154,8 @@ interface McpLaunchOptions {
   devtools: boolean;
   enableExtensions?: boolean;
   viaCli?: boolean;
+  blocklist?: string[];
+  allowlist?: string[];
 }
 
 export function detectDisplay(): void {
@@ -229,6 +235,8 @@ export async function launch(options: McpLaunchOptions): Promise<Browser> {
       acceptInsecureCerts: options.acceptInsecureCerts,
       handleDevToolsAsPage: true,
       enableExtensions: options.enableExtensions,
+      blocklist: options.blocklist,
+      allowlist: options.allowlist,
     });
     if (options.logFile) {
       // FIXME: we are probably subscribing too late to catch startup logs. We

src/index.ts

@@ -197,6 +197,13 @@ export async function createMcpServer(
       chromeArgs.push(`--proxy-server=${serverArgs.proxyServer}`);
     }
     const devtools = serverArgs.experimentalDevtools ?? false;
+    const blocklist = serverArgs.blocklist
+      ? serverArgs.blocklist.map(String)
+      : undefined;
+    const allowlist = serverArgs.allowlist
+      ? serverArgs.allowlist.map(String)
+      : undefined;
+
     const browser =
       serverArgs.browserUrl || serverArgs.wsEndpoint || serverArgs.autoConnect
         ? await ensureBrowserConnected({
@@ -209,6 +216,8 @@ export async function createMcpServer(
               : undefined,
             userDataDir: serverArgs.userDataDir,
             devtools,
+            blocklist,
+            allowlist,
           })
         : await ensureBrowserLaunched({
             headless: serverArgs.headless,
@@ -224,6 +233,8 @@ export async function createMcpServer(
             devtools,
             enableExtensions: serverArgs.categoryExtensions,
             viaCli: serverArgs.viaCli,
+            blocklist,
+            allowlist,
           });
 
     if (context?.browser !== browser) {

tests/browser.test.ts

@@ -13,6 +13,8 @@ import {executablePath} from 'puppeteer';
 
 import {detectDisplay, ensureBrowserConnected, launch} from '../src/browser.js';
 
+import {serverHooks} from './server.js';
+
 describe('browser', () => {
   it('detects display does not crash', () => {
     detectDisplay();
@@ -100,4 +102,88 @@ describe('browser', () => {
       await browser.close();
     }
   });
+
+  describe('Blocking', () => {
+    const server = serverHooks();
+
+    it('blocks URLs in blocklist', async () => {
+      server.addHtmlRoute('/allowed.html', '<html><body>Allowed</body></html>');
+      server.addHtmlRoute('/blocked.html', '<html><body>Blocked</body></html>');
+
+      const browser = await launch({
+        headless: true,
+        isolated: true,
+        executablePath: executablePath(),
+        devtools: false,
+        blocklist: ['*://*:*/blocked.html'],
+      });
+      try {
+        const page = await browser.newPage();
+
+        // Access allowed URL
+        await page.goto(server.getRoute('/allowed.html'));
+        const content = await page.evaluate(() => document.body.textContent);
+        assert.strictEqual(content, 'Allowed');
+
+        // Fetch of blocked URL from the page
+        const fetchResult = await page.evaluate(async url => {
+          try {
+            await fetch(url);
+            return 'SUCCESS';
+          } catch (err) {
+            return err instanceof Error ? err.message : String(err);
+          }
+        }, server.getRoute('/blocked.html'));
+
+        assert.strictEqual(fetchResult, 'Failed to fetch');
+      } finally {
+        await browser.close();
+      }
+    });
+
+    it(
+      'blocks URLs not in allowlist',
+      {skip: 'Requires Chrome 149 or greater'},
+      async () => {
+        server.addHtmlRoute(
+          '/allowed.html',
+          '<html><body>Allowed</body></html>',
+        );
+        server.addHtmlRoute(
+          '/blocked.html',
+          '<html><body>Blocked</body></html>',
+        );
+
+        const browser = await launch({
+          headless: true,
+          isolated: true,
+          executablePath: executablePath(),
+          devtools: false,
+          allowlist: ['*://*/allowed.html'],
+        });
+        try {
+          const page = await browser.newPage();
+
+          // Access allowed URL
+          await page.goto(server.getRoute('/allowed.html'));
+          const content = await page.evaluate(() => document.body.textContent);
+          assert.strictEqual(content, 'Allowed');
+
+          // Fetch of blocked URL from the page
+          const fetchResult = await page.evaluate(async url => {
+            try {
+              await fetch(url);
+              return 'SUCCESS';
+            } catch (err) {
+              return err instanceof Error ? err.message : String(err);
+            }
+          }, server.getRoute('/blocked.html'));
+
+          assert.strictEqual(fetchResult, 'Failed to fetch');
+        } finally {
+          await browser.close();
+        }
+      },
+    );
+  });
 });