π Before claiming this issue
Two quick steps before you open a PR:
- β Star the repository β low-friction signal that you'll follow through
- π¬ Comment
I'll take this (or similar) below β prevents two contributors racing on the same issue
Full policy: CONTRIBUTING.md β How to claim. If a claim is older than 7 days with no PR, you can reclaim it politely.
Tracks follow-up #1 from PR #17 security review. Blocked on mcp-server-v1 M3 (~Jul 28, 2026).
What
MCPPairingPanel currently stores the pairing token in chrome.storage.local. This is too long-lived β tokens persist across browser restarts and can be exfiltrated via any extension with storage permission. Use chrome.storage.session instead (cleared on browser restart, isolated per-tab).
Why
chrome.storage.local is persistent + readable by any extension with the storage permission. The MCP pairing token grants control of the debugger β same trust level as a session cookie. It should:
- Survive panel navigation within the same browser session
- Be cleared on browser restart
- Not be readable by other extensions
chrome.storage.session satisfies all 3. It's been available since MV3 launched.
Acceptance criteria
Implementation hint
// In MCPPairingPanel.tsx
const TOKEN_KEY = 'mcp_pairing_token_v1';
async function saveToken(token: string) {
await chrome.storage.session.set({ [TOKEN_KEY]: token });
}
async function readToken(): Promise<string | null> {
const { [TOKEN_KEY]: token } = await chrome.storage.session.get(TOKEN_KEY);
return token ?? null;
}
// One-time migration helper
async function migrateLegacyToken() {
const { [TOKEN_KEY]: legacy } = await chrome.storage.local.get(TOKEN_KEY);
if (legacy) {
await chrome.storage.session.set({ [TOKEN_KEY]: legacy });
await chrome.storage.local.remove(TOKEN_KEY);
}
}
Context
Tracks follow-up #1 from PR #17 security review. Blocked on
mcp-server-v1M3 (~Jul 28, 2026).What
MCPPairingPanel currently stores the pairing token in
chrome.storage.local. This is too long-lived β tokens persist across browser restarts and can be exfiltrated via any extension withstoragepermission. Usechrome.storage.sessioninstead (cleared on browser restart, isolated per-tab).Why
chrome.storage.localis persistent + readable by any extension with thestoragepermission. The MCP pairing token grants control of the debugger β same trust level as a session cookie. It should:chrome.storage.sessionsatisfies all 3. It's been available since MV3 launched.Acceptance criteria
src/panel/components/MCPPairingPanel.tsxgo throughchrome.storage.session(notchrome.storage.local)chrome.storage.localentries for old keys are read once at panel load, copied to session, then deleted from localchrome.storage.localafter the migration runsImplementation hint
Context