BREAKING CHANGE: browser.evaluateEnabled now defaults to false.
The evaluate feature allows arbitrary JavaScript execution in the browser
context via the /act endpoint (kind=evaluate) and wait --fn. This is a
powerful escape hatch for advanced automation but poses security risks:
- Prompt injection: LLM agents can be tricked into running malicious code
- Network exposure: If gateway is accessible, attackers can exfiltrate data
- Session hijacking: Code runs with access to cookies, localStorage, DOM
With this change:
- act:evaluate and wait --fn return 403 by default
- Users who need this feature can enable it explicitly:
browser.evaluateEnabled: true
Built-in actions (click, type, screenshot, wait for text/URL, etc.) remain
fully functional and cover the vast majority of automation use cases.
ad7cd8f44d