From 10290137f6561d210cb843a224073b7d231367ef Mon Sep 17 00:00:00 2001 From: Victor Huang Date: Thu, 28 May 2026 15:04:12 -0700 Subject: [PATCH 01/14] Add blank security-privacy --- security-privacy-questionnaire.md | 42 +++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 security-privacy-questionnaire.md diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md new file mode 100644 index 0000000..54b48e3 --- /dev/null +++ b/security-privacy-questionnaire.md @@ -0,0 +1,42 @@ +# [Self-Review Questionnaire: Security and Privacy](https://w3c.github.io/security-questionnaire/) + + +01. What information does this feature expose, + and for what purposes? +02. Do features in your specification expose the minimum amount of information + necessary to implement the intended functionality? +03. Do the features in your specification expose personal information, + personally-identifiable information (PII), or information derived from + either? +04. How do the features in your specification deal with sensitive information? +05. Does data exposed by your specification carry related but distinct + information that may not be obvious to users? +06. Do the features in your specification introduce state + that persists across browsing sessions? +07. Do the features in your specification expose information about the + underlying platform to origins? +08. Does this specification allow an origin to send data to the underlying + platform? +09. Do features in this specification enable access to device sensors? +10. Do features in this specification enable new script execution/loading + mechanisms? +11. Do features in this specification allow an origin to access other devices? +12. Do features in this specification allow an origin some measure of control over + a user agent's native UI? +13. What temporary identifiers do the features in this specification create or + expose to the web? +14. How does this specification distinguish between behavior in first-party and + third-party contexts? +15. How do the features in this specification work in the context of a browser’s + Private Browsing or Incognito mode? +16. Does this specification have both "Security Considerations" and "Privacy + Considerations" sections? +17. Do features in your specification enable origins to downgrade default + security protections? +18. What happens when a document that uses your feature is kept alive in BFCache + (instead of getting destroyed) after navigation, and potentially gets reused + on future navigations back to the document? +19. What happens when a document that uses your feature gets disconnected? +20. Does your spec define when and how new kinds of errors should be raised? +21. Does your feature allow sites to learn about the user's use of assistive technology? +22. What should this questionnaire have asked? \ No newline at end of file From eb0b7d2ac8142be7223d477b05486e54b68ead92 Mon Sep 17 00:00:00 2001 From: Victor Huang Date: Thu, 28 May 2026 16:03:14 -0700 Subject: [PATCH 02/14] Initial draft answers --- security-privacy-questionnaire.md | 135 +++++++++++++++++++++--------- 1 file changed, 96 insertions(+), 39 deletions(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index 54b48e3..13e779d 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -1,42 +1,99 @@ # [Self-Review Questionnaire: Security and Privacy](https://w3c.github.io/security-questionnaire/) +1. What information does this feature expose, and for what purposes? -01. What information does this feature expose, - and for what purposes? -02. Do features in your specification expose the minimum amount of information - necessary to implement the intended functionality? -03. Do the features in your specification expose personal information, - personally-identifiable information (PII), or information derived from - either? -04. How do the features in your specification deal with sensitive information? -05. Does data exposed by your specification carry related but distinct - information that may not be obvious to users? -06. Do the features in your specification introduce state - that persists across browsing sessions? -07. Do the features in your specification expose information about the - underlying platform to origins? -08. Does this specification allow an origin to send data to the underlying - platform? -09. Do features in this specification enable access to device sensors? -10. Do features in this specification enable new script execution/loading - mechanisms? -11. Do features in this specification allow an origin to access other devices? -12. Do features in this specification allow an origin some measure of control over - a user agent's native UI? -13. What temporary identifiers do the features in this specification create or - expose to the web? -14. How does this specification distinguish between behavior in first-party and - third-party contexts? -15. How do the features in this specification work in the context of a browser’s - Private Browsing or Incognito mode? -16. Does this specification have both "Security Considerations" and "Privacy - Considerations" sections? -17. Do features in your specification enable origins to downgrade default - security protections? -18. What happens when a document that uses your feature is kept alive in BFCache - (instead of getting destroyed) after navigation, and potentially gets reused - on future navigations back to the document? -19. What happens when a document that uses your feature gets disconnected? -20. Does your spec define when and how new kinds of errors should be raised? -21. Does your feature allow sites to learn about the user's use of assistive technology? -22. What should this questionnaire have asked? \ No newline at end of file +WebMCP exposes author-defined tool metadata and tool return values to UA. It does not expose new information about the user or their environment to origins. + +Cross-origin iframes may discover these tools, only if explicitly allowed by tool authors via `exposedTo`. + +1. Do features in your specification expose the minimum amount of information necessary to implement the intended functionality? + +The API surface itself exposes only the information necessary to implement the intended functionality. + +1. Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either? + +No, the API itself does not expose PII. + +We do note that there is a novel challenge that implementors of agents calling these tools should be aware of: malicious tools can ask for a non-minimal set of PII to achieve their intended functionality, which can cause privacy leakage. See [Privacy Leakage through Over Parameterization](https://w3c.github.io/webmcp/#privacy-leakage-through-over-parameterization) for more details. WebMCP did not increase the vector of attack (compared to a malicious tool asking for more PII in a non-WebMCP context), but they should be aware that this risk exists. + +1. How do the features in your specification deal with sensitive information? + +WebMCP itself is not a source of sensitive information. Tools may wrap sensitive information, but that is not a WebMCP-specific issue. We discuss the risk of sites exposing sensitive content in tools in [Tool Implementation as Attack Targets](https://webmachinelearning.github.io/webmcp/#tool-implementation-targets). + +1. Does data exposed by your specification carry related but distinct information that may not be obvious to users? + +No, the API surface itself does not expose related but distinct information. + +1. Do the features in your specification introduce state that persists across browsing sessions? + +No, currently WebMCP tools are tied to the document's lifetime. There's discussions of options to help persist tools across navigation, but that is not currently specified. + +1. Do the features in your specification expose information about the underlying platform to origins? + +No. + +1. Does this specification allow an origin to send data to the underlying platform? + +Tool inputs and outputs flow between the page and the authorized agent, which includes built-in agent in the UA. The data is structured (JSON-serializable values conforming to declared schemas). + +1. Do features in this specification enable access to device sensors? + +No. + +1. Do features in this specification enable new script execution/loading mechanisms? + +No. Tool `execute` callbacks are ordinary JavaScript invoked in the registering document's existing realm. + +1. Do features in this specification allow an origin to access other devices? + +No. + +1. Do features in this specification allow an origin some measure of control over a user agent's native UI? + +No direct control at the moment. There is discussion of `requestUserInput` in issue [#165](https://github.com/webmachinelearning/webmcp/issues/165). + +1. What temporary identifiers do the features in this specification create or expose to the web? + +None. + +1. How does this specification distinguish between behavior in first-party and third-party contexts? + +Feature is gated by Permissions Policy `tools`. The feature is allowed in the top-level document and same-origin descendants by default; Permission policy can be used to allow it in cross-origin iframes, or to disallow it in same-origin frames. + +Additionally, tools themselves can specify `exposedTo` to control which origins (or `native-agents`, name to be bikeshed as per [#179](https://github.com/webmachinelearning/webmcp/pull/179)) can discover them. + +1. How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode? + +We do not anticipate any differences. + +1. Does this specification have both "Security Considerations" and "Privacy Considerations" sections? + +[Security and Privacy Considerations](https://webmachinelearning.github.io/webmcp/#security-and-privacy-considerations). + +1. Do features in your specification enable origins to downgrade default security protections? + +No. + +1. What happens when a document that uses your feature is kept alive in BFCache (instead of getting destroyed) after navigation, and potentially gets reused on future navigations back to the document? + +A BFCached document's registered tools remain in memory. While the document is non-fully-active, agents should not invoke its tools or deliver events to it. On restoration, registered tools become available again. + +1. What happens when a document that uses your feature gets disconnected? + +A disconnected document's tools are no longer discoverable or invokable by agents. Pending tool invocations associated with the document are abandoned. + +1. Does your spec define when and how new kinds of errors should be raised? + +Yes. `registerTool()` throws `InvalidStateError` for inactive documents, duplicate names, or invalid name/description. + +`NotAllowedError` when the "tools" Permissions Policy is disallowed; `SecurityError` for non-trustworthy exposedTo rigins; and `TypeError` when inputSchema serialization fails.o + +These errors do not leak new information to the origins. + +1. Does your feature allow sites to learn about the user's use of assistive technology? + +No. + +1. What should this questionnaire have asked? + +None that I can think of. \ No newline at end of file From 0692f57c1e7aa253dff2cc1efd8db2950a477408 Mon Sep 17 00:00:00 2001 From: Victor Huang Date: Thu, 28 May 2026 16:08:35 -0700 Subject: [PATCH 03/14] Copy edit on questionnaire answers --- security-privacy-questionnaire.md | 80 +++++++++++++++---------------- 1 file changed, 38 insertions(+), 42 deletions(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index 13e779d..87b7e7d 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -1,99 +1,95 @@ # [Self-Review Questionnaire: Security and Privacy](https://w3c.github.io/security-questionnaire/) -1. What information does this feature expose, and for what purposes? +01. What information does this feature expose, and for what purposes? -WebMCP exposes author-defined tool metadata and tool return values to UA. It does not expose new information about the user or their environment to origins. +WebMCP exposes author-defined tool metadata and tool return values to the user agent. It does not expose new information about the user or their environment to origins. -Cross-origin iframes may discover these tools, only if explicitly allowed by tool authors via `exposedTo`. +Cross-origin iframes may discover these tools only if the tool author explicitly opts in via `exposedTo`. -1. Do features in your specification expose the minimum amount of information necessary to implement the intended functionality? +02. Do features in your specification expose the minimum amount of information necessary to implement the intended functionality? -The API surface itself exposes only the information necessary to implement the intended functionality. +Yes. The API surface exposes only what is necessary for agents to discover and invoke tools. The information that flows through tool parameters and return values is entirely scoped to what the author declares. -1. Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either? +03. Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either? -No, the API itself does not expose PII. +No, the API itself does not expose PII. -We do note that there is a novel challenge that implementors of agents calling these tools should be aware of: malicious tools can ask for a non-minimal set of PII to achieve their intended functionality, which can cause privacy leakage. See [Privacy Leakage through Over Parameterization](https://w3c.github.io/webmcp/#privacy-leakage-through-over-parameterization) for more details. WebMCP did not increase the vector of attack (compared to a malicious tool asking for more PII in a non-WebMCP context), but they should be aware that this risk exists. +We note a novel challenge for agent implementors: malicious tools can request a non-minimal set of personal data via their input parameters, causing privacy leakage. See [Privacy Leakage through Over-Parameterization](https://w3c.github.io/webmcp/#privacy-leakage-over-parameterization) for details. WebMCP does not increase the attack vector compared to tools in non-WebMCP contexts, but implementors should be aware that this risk exists. -1. How do the features in your specification deal with sensitive information? +04. How do the features in your specification deal with sensitive information? -WebMCP itself is not a source of sensitive information. Tools may wrap sensitive information, but that is not a WebMCP-specific issue. We discuss the risk of sites exposing sensitive content in tools in [Tool Implementation as Attack Targets](https://webmachinelearning.github.io/webmcp/#tool-implementation-targets). +WebMCP is not a source of sensitive information. Tools may wrap sensitive or high-privilege operations (e.g., purchases, account changes), but that is not WebMCP-specific. We discuss this risk in [Tool Implementation as Attack Targets](https://webmachinelearning.github.io/webmcp/#tool-implementation-targets). -1. Does data exposed by your specification carry related but distinct information that may not be obvious to users? +05. Does data exposed by your specification carry related but distinct information that may not be obvious to users? -No, the API surface itself does not expose related but distinct information. +No, the API surface itself does not carry related but distinct information. -1. Do the features in your specification introduce state that persists across browsing sessions? +06. Do the features in your specification introduce state that persists across browsing sessions? -No, currently WebMCP tools are tied to the document's lifetime. There's discussions of options to help persist tools across navigation, but that is not currently specified. +No. Tool registrations are tied to the document's lifetime. There are discussions about persisting tools across navigation, but that is not currently specified. -1. Do the features in your specification expose information about the underlying platform to origins? +07. Do the features in your specification expose information about the underlying platform to origins? No. -1. Does this specification allow an origin to send data to the underlying platform? +08. Does this specification allow an origin to send data to the underlying platform? -Tool inputs and outputs flow between the page and the authorized agent, which includes built-in agent in the UA. The data is structured (JSON-serializable values conforming to declared schemas). +Tool inputs and outputs flow between the page and the authorized agent, which may include the user agent's built-in agent. The data is structured (JSON-serializable values conforming to declared schemas). -1. Do features in this specification enable access to device sensors? +09. Do features in this specification enable access to device sensors? No. -1. Do features in this specification enable new script execution/loading mechanisms? +10. Do features in this specification enable new script execution/loading mechanisms? No. Tool `execute` callbacks are ordinary JavaScript invoked in the registering document's existing realm. -1. Do features in this specification allow an origin to access other devices? +11. Do features in this specification allow an origin to access other devices? No. -1. Do features in this specification allow an origin some measure of control over a user agent's native UI? +12. Do features in this specification allow an origin some measure of control over a user agent's native UI? -No direct control at the moment. There is discussion of `requestUserInput` in issue [#165](https://github.com/webmachinelearning/webmcp/issues/165). +No direct control. There is discussion of `requestUserInput` in [Issue #165](https://github.com/webmachinelearning/webmcp/issues/165). -1. What temporary identifiers do the features in this specification create or expose to the web? +13. What temporary identifiers do the features in this specification create or expose to the web? None. -1. How does this specification distinguish between behavior in first-party and third-party contexts? +14. How does this specification distinguish between behavior in first-party and third-party contexts? -Feature is gated by Permissions Policy `tools`. The feature is allowed in the top-level document and same-origin descendants by default; Permission policy can be used to allow it in cross-origin iframes, or to disallow it in same-origin frames. +The feature is gated by Permissions Policy `"tools"`. It is allowed in top-level documents and same-origin descendants by default; Permissions Policy can be used to allow it in cross-origin iframes and/or to disallow it in same-origin frames. -Additionally, tools themselves can specify `exposedTo` to control which origins (or `native-agents`, name to be bikeshed as per [#179](https://github.com/webmachinelearning/webmcp/pull/179)) can discover them. +Additionally, tools can specify `exposedTo` to control which origins (or `native-agents`, name to be bikeshed per [#179](https://github.com/webmachinelearning/webmcp/pull/179)) can discover them. -1. How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode? +15. How do the features in this specification work in the context of a browser's Private Browsing or Incognito mode? We do not anticipate any differences. -1. Does this specification have both "Security Considerations" and "Privacy Considerations" sections? +16. Does this specification have both "Security Considerations" and "Privacy Considerations" sections? -[Security and Privacy Considerations](https://webmachinelearning.github.io/webmcp/#security-and-privacy-considerations). +Yes. See [Security and Privacy Considerations](https://webmachinelearning.github.io/webmcp/#security-privacy). -1. Do features in your specification enable origins to downgrade default security protections? +17. Do features in your specification enable origins to downgrade default security protections? No. -1. What happens when a document that uses your feature is kept alive in BFCache (instead of getting destroyed) after navigation, and potentially gets reused on future navigations back to the document? +18. What happens when a document that uses your feature is kept alive in BFCache (instead of getting destroyed) after navigation, and potentially gets reused on future navigations back to the document? -A BFCached document's registered tools remain in memory. While the document is non-fully-active, agents should not invoke its tools or deliver events to it. On restoration, registered tools become available again. +A BFCached document's registered tools remain in memory. While the document is non-fully-active, agents should not invoke its tools or deliver events to it. On restoration, registered tools become available again. -1. What happens when a document that uses your feature gets disconnected? +19. What happens when a document that uses your feature gets disconnected? A disconnected document's tools are no longer discoverable or invokable by agents. Pending tool invocations associated with the document are abandoned. -1. Does your spec define when and how new kinds of errors should be raised? +20. Does your spec define when and how new kinds of errors should be raised? -Yes. `registerTool()` throws `InvalidStateError` for inactive documents, duplicate names, or invalid name/description. +Yes. `registerTool()` throws `InvalidStateError` for inactive documents, duplicate names, or invalid name/description; `NotAllowedError` when the `"tools"` Permissions Policy is disallowed; `SecurityError` for non-trustworthy `exposedTo` origins; and `TypeError` when `inputSchema` serialization fails. These errors only reflect the page's own state and inputs, so they do not leak new information. -`NotAllowedError` when the "tools" Permissions Policy is disallowed; `SecurityError` for non-trustworthy exposedTo rigins; and `TypeError` when inputSchema serialization fails.o +21. Does your feature allow sites to learn about the user's use of assistive technology? -These errors do not leak new information to the origins. - -1. Does your feature allow sites to learn about the user's use of assistive technology? - No. -1. What should this questionnaire have asked? +22. What should this questionnaire have asked? -None that I can think of. \ No newline at end of file +None that we can think of. \ No newline at end of file From 86fa9e5b379a60d1107b044365a0a650706c26cd Mon Sep 17 00:00:00 2001 From: Victor Huang Date: Thu, 28 May 2026 16:10:38 -0700 Subject: [PATCH 04/14] Format questions in the security and privacy questionnaire for consistency --- security-privacy-questionnaire.md | 52 +++++++++++++++---------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index 87b7e7d..17fdd62 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -1,95 +1,95 @@ # [Self-Review Questionnaire: Security and Privacy](https://w3c.github.io/security-questionnaire/) -01. What information does this feature expose, and for what purposes? +> 01. What information does this feature expose, and for what purposes? WebMCP exposes author-defined tool metadata and tool return values to the user agent. It does not expose new information about the user or their environment to origins. -Cross-origin iframes may discover these tools only if the tool author explicitly opts in via `exposedTo`. +Cross-origin iframes may discover these tools only if the tool author explicitly opts in via `exposedTo`. -02. Do features in your specification expose the minimum amount of information necessary to implement the intended functionality? +> 02. Do features in your specification expose the minimum amount of information necessary to implement the intended functionality? -Yes. The API surface exposes only what is necessary for agents to discover and invoke tools. The information that flows through tool parameters and return values is entirely scoped to what the author declares. +Yes. The API surface exposes only what is necessary for agents to discover and invoke tools. The information that flows through tool parameters and return values is entirely scoped to what the author declares. -03. Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either? +> 03. Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either? No, the API itself does not expose PII. -We note a novel challenge for agent implementors: malicious tools can request a non-minimal set of personal data via their input parameters, causing privacy leakage. See [Privacy Leakage through Over-Parameterization](https://w3c.github.io/webmcp/#privacy-leakage-over-parameterization) for details. WebMCP does not increase the attack vector compared to tools in non-WebMCP contexts, but implementors should be aware that this risk exists. +We note a novel challenge for agent implementors: malicious tools can request a non-minimal set of personal data via their input parameters, causing privacy leakage. See [Privacy Leakage through Over-Parameterization](https://w3c.github.io/webmcp/#privacy-leakage-over-parameterization) for details. WebMCP does not increase the attack vector compared to tools in non-WebMCP contexts, but implementors should be aware that this risk exists. -04. How do the features in your specification deal with sensitive information? +> 04. How do the features in your specification deal with sensitive information? -WebMCP is not a source of sensitive information. Tools may wrap sensitive or high-privilege operations (e.g., purchases, account changes), but that is not WebMCP-specific. We discuss this risk in [Tool Implementation as Attack Targets](https://webmachinelearning.github.io/webmcp/#tool-implementation-targets). +WebMCP is not a source of sensitive information. Tools may wrap sensitive or high-privilege operations (e.g., purchases, account changes), but that risk is not WebMCP-specific. We discuss this risk in [Tool Implementation as Attack Targets](https://webmachinelearning.github.io/webmcp/#tool-implementation-targets). -05. Does data exposed by your specification carry related but distinct information that may not be obvious to users? +> 05. Does data exposed by your specification carry related but distinct information that may not be obvious to users? No, the API surface itself does not carry related but distinct information. -06. Do the features in your specification introduce state that persists across browsing sessions? +> 06. Do the features in your specification introduce state that persists across browsing sessions? No. Tool registrations are tied to the document's lifetime. There are discussions about persisting tools across navigation, but that is not currently specified. -07. Do the features in your specification expose information about the underlying platform to origins? +> 07. Do the features in your specification expose information about the underlying platform to origins? No. -08. Does this specification allow an origin to send data to the underlying platform? +> 08. Does this specification allow an origin to send data to the underlying platform? Tool inputs and outputs flow between the page and the authorized agent, which may include the user agent's built-in agent. The data is structured (JSON-serializable values conforming to declared schemas). -09. Do features in this specification enable access to device sensors? +> 09. Do features in this specification enable access to device sensors? No. -10. Do features in this specification enable new script execution/loading mechanisms? +> 10. Do features in this specification enable new script execution/loading mechanisms? No. Tool `execute` callbacks are ordinary JavaScript invoked in the registering document's existing realm. -11. Do features in this specification allow an origin to access other devices? +> 11. Do features in this specification allow an origin to access other devices? No. -12. Do features in this specification allow an origin some measure of control over a user agent's native UI? +> 12. Do features in this specification allow an origin some measure of control over a user agent's native UI? No direct control. There is discussion of `requestUserInput` in [Issue #165](https://github.com/webmachinelearning/webmcp/issues/165). -13. What temporary identifiers do the features in this specification create or expose to the web? +> 13. What temporary identifiers do the features in this specification create or expose to the web? None. -14. How does this specification distinguish between behavior in first-party and third-party contexts? +> 14. How does this specification distinguish between behavior in first-party and third-party contexts? The feature is gated by Permissions Policy `"tools"`. It is allowed in top-level documents and same-origin descendants by default; Permissions Policy can be used to allow it in cross-origin iframes and/or to disallow it in same-origin frames. Additionally, tools can specify `exposedTo` to control which origins (or `native-agents`, name to be bikeshed per [#179](https://github.com/webmachinelearning/webmcp/pull/179)) can discover them. -15. How do the features in this specification work in the context of a browser's Private Browsing or Incognito mode? +> 15. How do the features in this specification work in the context of a browser's Private Browsing or Incognito mode? We do not anticipate any differences. -16. Does this specification have both "Security Considerations" and "Privacy Considerations" sections? +> 16. Does this specification have both "Security Considerations" and "Privacy Considerations" sections? Yes. See [Security and Privacy Considerations](https://webmachinelearning.github.io/webmcp/#security-privacy). -17. Do features in your specification enable origins to downgrade default security protections? +> 17. Do features in your specification enable origins to downgrade default security protections? No. -18. What happens when a document that uses your feature is kept alive in BFCache (instead of getting destroyed) after navigation, and potentially gets reused on future navigations back to the document? +> 18. What happens when a document that uses your feature is kept alive in BFCache (instead of getting destroyed) after navigation, and potentially gets reused on future navigations back to the document? A BFCached document's registered tools remain in memory. While the document is non-fully-active, agents should not invoke its tools or deliver events to it. On restoration, registered tools become available again. -19. What happens when a document that uses your feature gets disconnected? +> 19. What happens when a document that uses your feature gets disconnected? A disconnected document's tools are no longer discoverable or invokable by agents. Pending tool invocations associated with the document are abandoned. -20. Does your spec define when and how new kinds of errors should be raised? +> 20. Does your spec define when and how new kinds of errors should be raised? Yes. `registerTool()` throws `InvalidStateError` for inactive documents, duplicate names, or invalid name/description; `NotAllowedError` when the `"tools"` Permissions Policy is disallowed; `SecurityError` for non-trustworthy `exposedTo` origins; and `TypeError` when `inputSchema` serialization fails. These errors only reflect the page's own state and inputs, so they do not leak new information. -21. Does your feature allow sites to learn about the user's use of assistive technology? +> 21. Does your feature allow sites to learn about the user's use of assistive technology? No. -22. What should this questionnaire have asked? +> 22. What should this questionnaire have asked? None that we can think of. \ No newline at end of file From e2c933cc79978f5534643745c19930d65c50ca65 Mon Sep 17 00:00:00 2001 From: Victor Huang Date: Mon, 1 Jun 2026 13:05:38 -0700 Subject: [PATCH 05/14] update wording to built-in agent Co-authored-by: Dominic Farolino --- security-privacy-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index 17fdd62..e899b4d 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -2,7 +2,7 @@ > 01. What information does this feature expose, and for what purposes? -WebMCP exposes author-defined tool metadata and tool return values to the user agent. It does not expose new information about the user or their environment to origins. +WebMCP exposes author-defined tool metadata and tool return values to the built-in AI agent. It does not expose new information about the user or their environment to origins. Cross-origin iframes may discover these tools only if the tool author explicitly opts in via `exposedTo`. From 39c96b7141ee3b2f3a8df2df73d38ecfe4599661 Mon Sep 17 00:00:00 2001 From: Victor Huang Date: Mon, 1 Jun 2026 13:06:03 -0700 Subject: [PATCH 06/14] update phrasing Co-authored-by: Dominic Farolino --- security-privacy-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index e899b4d..337e636 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -8,7 +8,7 @@ Cross-origin iframes may discover these tools only if the tool author explicitly > 02. Do features in your specification expose the minimum amount of information necessary to implement the intended functionality? -Yes. The API surface exposes only what is necessary for agents to discover and invoke tools. The information that flows through tool parameters and return values is entirely scoped to what the author declares. +Yes. The API surface exposes only what is necessary for agents to discover and invoke tools. The information that flows through tool metadata like parameters and annotations, as well as tool return values, is entirely scoped to what the author declares. > 03. Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either? From 79e804cb8f585ea298d400176ad36c0ff2ce5d80 Mon Sep 17 00:00:00 2001 From: Victor Huang Date: Mon, 1 Jun 2026 13:07:01 -0700 Subject: [PATCH 07/14] change spelling for implementers Co-authored-by: Dominic Farolino --- security-privacy-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index 337e636..55b6fdf 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -14,7 +14,7 @@ Yes. The API surface exposes only what is necessary for agents to discover and i No, the API itself does not expose PII. -We note a novel challenge for agent implementors: malicious tools can request a non-minimal set of personal data via their input parameters, causing privacy leakage. See [Privacy Leakage through Over-Parameterization](https://w3c.github.io/webmcp/#privacy-leakage-over-parameterization) for details. WebMCP does not increase the attack vector compared to tools in non-WebMCP contexts, but implementors should be aware that this risk exists. +We note a novel challenge for agent implementers: malicious tools can request a non-minimal set of personal data via their input parameters, causing privacy leakage. See [Privacy Leakage through Over-Parameterization](https://w3c.github.io/webmcp/#privacy-leakage-over-parameterization) for details. WebMCP does not increase the attack vector compared to tools in non-WebMCP contexts, but agent implementers should be aware that this risk exists. > 04. How do the features in your specification deal with sensitive information? From 4e84b15bf39b1525fcff3cdb4b715d7506197ce0 Mon Sep 17 00:00:00 2001 From: Victor Huang Date: Mon, 1 Jun 2026 13:08:37 -0700 Subject: [PATCH 08/14] update wording for permission policy Co-authored-by: Dominic Farolino --- security-privacy-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index 55b6fdf..ef40169 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -58,7 +58,7 @@ None. > 14. How does this specification distinguish between behavior in first-party and third-party contexts? -The feature is gated by Permissions Policy `"tools"`. It is allowed in top-level documents and same-origin descendants by default; Permissions Policy can be used to allow it in cross-origin iframes and/or to disallow it in same-origin frames. +The feature is gated by the [`"tools"`](https://webmachinelearning.github.io/webmcp/#permissiondef-tools) permission policy. It is allowed in top-level documents and same-origin descendants by default; The permission policy can be used to allow it in cross-origin iframes and/or to disallow it in same-origin frames. Additionally, tools can specify `exposedTo` to control which origins (or `native-agents`, name to be bikeshed per [#179](https://github.com/webmachinelearning/webmcp/pull/179)) can discover them. From e4b6c552deb7edeb7560857e2570908a4a7178ac Mon Sep 17 00:00:00 2001 From: Victor Huang Date: Mon, 1 Jun 2026 15:41:56 -0700 Subject: [PATCH 09/14] Add links to `exposedTo` in security and privacy questionnaire for clarity --- security-privacy-questionnaire.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index ef40169..1542337 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -4,7 +4,7 @@ WebMCP exposes author-defined tool metadata and tool return values to the built-in AI agent. It does not expose new information about the user or their environment to origins. -Cross-origin iframes may discover these tools only if the tool author explicitly opts in via `exposedTo`. +Cross-origin iframes may discover these tools only if the tool author explicitly opts in via [`exposedTo`](https://webmachinelearning.github.io/webmcp/#dom-modelcontextregistertooloptions-exposedto). > 02. Do features in your specification expose the minimum amount of information necessary to implement the intended functionality? @@ -60,7 +60,7 @@ None. The feature is gated by the [`"tools"`](https://webmachinelearning.github.io/webmcp/#permissiondef-tools) permission policy. It is allowed in top-level documents and same-origin descendants by default; The permission policy can be used to allow it in cross-origin iframes and/or to disallow it in same-origin frames. -Additionally, tools can specify `exposedTo` to control which origins (or `native-agents`, name to be bikeshed per [#179](https://github.com/webmachinelearning/webmcp/pull/179)) can discover them. +Additionally, tools can specify [`exposedTo`](https://webmachinelearning.github.io/webmcp/#dom-modelcontextregistertooloptions-exposedto) to control which origins (or `native-agents`, name to be bikeshed per [#179](https://github.com/webmachinelearning/webmcp/pull/179)) can discover them. > 15. How do the features in this specification work in the context of a browser's Private Browsing or Incognito mode? @@ -84,7 +84,7 @@ A disconnected document's tools are no longer discoverable or invokable by agent > 20. Does your spec define when and how new kinds of errors should be raised? -Yes. `registerTool()` throws `InvalidStateError` for inactive documents, duplicate names, or invalid name/description; `NotAllowedError` when the `"tools"` Permissions Policy is disallowed; `SecurityError` for non-trustworthy `exposedTo` origins; and `TypeError` when `inputSchema` serialization fails. These errors only reflect the page's own state and inputs, so they do not leak new information. +Yes. `registerTool()` throws `InvalidStateError` for inactive documents, duplicate names, or invalid name/description; `NotAllowedError` when the `"tools"` Permissions Policy is disallowed; `SecurityError` for non-trustworthy [`exposedTo`](https://webmachinelearning.github.io/webmcp/#dom-modelcontextregistertooloptions-exposedto) origins; and `TypeError` when `inputSchema` serialization fails. These errors only reflect the page's own state and inputs, so they do not leak new information. > 21. Does your feature allow sites to learn about the user's use of assistive technology? From 770d7c75e19aa73f7ea0b8c3678839a6e3a465b2 Mon Sep 17 00:00:00 2001 From: Victor Huang Date: Mon, 1 Jun 2026 15:45:45 -0700 Subject: [PATCH 10/14] Update bfcache section on register, listing tools --- security-privacy-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index 1542337..f850772 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -76,7 +76,7 @@ No. > 18. What happens when a document that uses your feature is kept alive in BFCache (instead of getting destroyed) after navigation, and potentially gets reused on future navigations back to the document? -A BFCached document's registered tools remain in memory. While the document is non-fully-active, agents should not invoke its tools or deliver events to it. On restoration, registered tools become available again. +A BFCached document's registered tools remain in memory but are unavailable while the document is non-fully-active: tools cannot be invoked, registered, or retrieved. On restoration, registered tools become available again. > 19. What happens when a document that uses your feature gets disconnected? From cff5b3a59cf54c9fc53aa457555b070777e8d990 Mon Sep 17 00:00:00 2001 From: Victor Huang Date: Mon, 1 Jun 2026 15:55:40 -0700 Subject: [PATCH 11/14] Clarify control over user agent's native UI --- security-privacy-questionnaire.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index f850772..1f2a711 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -50,7 +50,9 @@ No. > 12. Do features in this specification allow an origin some measure of control over a user agent's native UI? -No direct control. There is discussion of `requestUserInput` in [Issue #165](https://github.com/webmachinelearning/webmcp/issues/165). +[Tool annotations](https://webmachinelearning.github.io/webmcp/#dom-modelcontexttoolannotations) can indirectly influence how an agent presents a tool invocation in its UI (e.g., a `readOnlyHint` may cause the agent to skip a confirmation step). + +More directly, there is discussion of `requestUserInput` in [Issue #165](https://github.com/webmachinelearning/webmcp/issues/165). > 13. What temporary identifiers do the features in this specification create or expose to the web? From 8e1013fd84f68189271dc7592529afaafcbec9fb Mon Sep 17 00:00:00 2001 From: Victor Huang Date: Mon, 1 Jun 2026 16:34:09 -0700 Subject: [PATCH 12/14] Apply suggestions from code review Co-authored-by: Dominic Farolino --- security-privacy-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index 1f2a711..ee157d7 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -34,7 +34,7 @@ No. > 08. Does this specification allow an origin to send data to the underlying platform? -Tool inputs and outputs flow between the page and the authorized agent, which may include the user agent's built-in agent. The data is structured (JSON-serializable values conforming to declared schemas). +Yes, tool inputs and outputs flow between an origin and the platform's built-in agent. The data is structured JSON-serializable values conforming to declared schemas. > 09. Do features in this specification enable access to device sensors? From 547166020fca25cf25be60f5869d73a4655d9506 Mon Sep 17 00:00:00 2001 From: Victor Huang Date: Mon, 1 Jun 2026 16:37:40 -0700 Subject: [PATCH 13/14] Clarify abandoned meaning --- security-privacy-questionnaire.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index 1f2a711..f0825f4 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -82,7 +82,12 @@ A BFCached document's registered tools remain in memory but are unavailable whil > 19. What happens when a document that uses your feature gets disconnected? -A disconnected document's tools are no longer discoverable or invokable by agents. Pending tool invocations associated with the document are abandoned. +A disconnected document's tools are no longer discoverable or invokable by agents. Pending tool invocations associated with the document are abandoned: + +- In-page agents: the caller's Promise will be rejected +- Built-in agents: the agent will be notified that the tool call failed + +Note: this behavior is not yet spec'd but is the intended direction. > 20. Does your spec define when and how new kinds of errors should be raised? From a7e298d887d12c44035123528435bcf6eb5e1566 Mon Sep 17 00:00:00 2001 From: Victor Huang Date: Mon, 1 Jun 2026 16:47:44 -0700 Subject: [PATCH 14/14] update PII exposure Co-authored-by: Dominic Farolino --- security-privacy-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index 41f17f1..6afed68 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -12,7 +12,7 @@ Yes. The API surface exposes only what is necessary for agents to discover and i > 03. Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either? -No, the API itself does not expose PII. +No, the API itself does not expose PII, but the tools that authors choose to implement _can_, depending on their nature. We note a novel challenge for agent implementers: malicious tools can request a non-minimal set of personal data via their input parameters, causing privacy leakage. See [Privacy Leakage through Over-Parameterization](https://w3c.github.io/webmcp/#privacy-leakage-over-parameterization) for details. WebMCP does not increase the attack vector compared to tools in non-WebMCP contexts, but agent implementers should be aware that this risk exists.