Summary
Review Browser Use and Chrome native-host packaging and runtime boundaries.
Source
Migrated from docs/maintainers/security-backlog.md.
Maintained Docs
- Security backlog index and review workflow:
docs/maintainers/security-backlog.md
- Threat model:
docs/maintainers/threat-model.md
- Package and runtime maintenance:
docs/maintainers/package-runtime-maintenance.md
Context
The generated app stages Browser Use resources and the upstream Chrome plugin with Linux native-messaging support for Chrome, Brave, and Chromium. These components run in the user's desktop session and bridge browser state into Codex through local plugin and native-host paths.
Review Gate
Run the @codex-security workflow before treating implementation as review-ready.
Desired State
- Native-messaging manifests and host paths are restricted to packaged assets and expected extension identities.
- Browser profile discovery and launch commands use argument vectors and sanitized inputs.
- Browser Use and Chrome plugin logs avoid persisting page data, tokens, or browser profile paths longer than needed.
- Stale browser, CDP, or native-host clients cannot receive unintended future commands.
Summary
Review Browser Use and Chrome native-host packaging and runtime boundaries.
Source
Migrated from
docs/maintainers/security-backlog.md.Maintained Docs
docs/maintainers/security-backlog.mddocs/maintainers/threat-model.mddocs/maintainers/package-runtime-maintenance.mdContext
The generated app stages Browser Use resources and the upstream Chrome plugin with Linux native-messaging support for Chrome, Brave, and Chromium. These components run in the user's desktop session and bridge browser state into Codex through local plugin and native-host paths.
Review Gate
Run the
@codex-securityworkflow before treating implementation as review-ready.Desired State