Hi Tom, the team is working both with Chrome Security and in the W3C WebML CG (see P&S considerations <https://github.com/webmachinelearning/webmcp/blob/main/docs/security-privacy-considerations.md>) to figure out these challenges, with bi-weekly CG meetings where security and privacy questions are actively being discussed. I agree that there is a lot we have to get right here, and we'll involve TAG and others for help and review as per the process. Note that this is an early prototype for developer testing and not an intent to to ship.
I'm happy to join any SING call if you'd like to discuss this further. Thanks! Johann On Mon, Feb 9, 2026 at 8:17 PM Tom Jones <[email protected]> wrote: > based on the explainer there has been no security review. > Are any W3C reviews in process? > I couldn't tell if anyone was addressing/prototyping A2A? > > I believe this would be a privacy nightmare for any user of a browser > enabling this and will create a threat model for W3C SING if no one is > currently underway. > > Peace ..tom jones > > > On Mon, Feb 9, 2026 at 4:40 PM Chromestatus < > [email protected]> wrote: > >> *Contact emails* >> [email protected], [email protected], [email protected], >> [email protected] >> >> *Explainer* >> https://github.com/webmachinelearning/webmcp >> >> *Specification* >> *No information provided* >> >> *Summary* >> WebMCP is a proposal for a web API that enables web pages to provide >> agent-specific paths in their UI. With WebMCP, agent-service interaction >> takes place via app-controlled UI, providing a shared context available to >> app, agent, and user. >> >> *Blink component* >> Blink>Agentic Platform>WebMCP >> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EAgentic%20Platform%3EWebMCP%22> >> >> *Web Feature ID* >> Missing feature >> >> *Search tags* >> WebMCP <http:///features#tags:WebMCP> >> >> *Risks* >> >> >> *Interoperability and Compatibility* >> Given this is a new space and new API - there's no compatibility risk. >> Usual risk related to other browser vendors not adopting the API apply. >> This API is meant to augment capabilities provided by browser add-ons and >> so non-adoption in other engines would have limited user-impact and thus we >> consider the risk to be low. >> >> *Gecko*: No signal >> >> *WebKit*: No signal >> >> *Web developers*: No signals >> >> *Other signals*: >> >> *WebView application risks* >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> *No information provided* >> >> >> *Debuggability* >> WebMCP will raise issues to a DevTools WebMCP Panel to help surface >> configuration errors, such as malformed structured schemas, improper >> function registration, and failed actuation attempts by the agent. >> >> *Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)?* >> Yes >> >> *Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* >> No >> The IDL and basic usage is tested via WPTs. Since the API provides the >> user agent with the ability to call certain tools, we might need to extend >> the WPT harness to support this. >> >> *DevTrial instructions* >> >> https://docs.google.com/document/d/1rtU1fRPS0bMqd9abMG_hc6K9OAI6soUy3Kh00toAgyk/edit?tab=t.0 >> >> *Flag name on about://flags* >> Experimental Web Platform features >> >> *Finch feature name* >> WebMCP >> >> *Requires code in //chrome?* >> True >> >> *Tracking bug* >> https://crbug.com/445637567 >> >> *Estimated milestones* >> DevTrial on desktop 146 >> >> *Link to entry on the Chrome Platform Status* >> https://chromestatus.com/feature/5117755740913664 >> >> *Links to previous Intent discussions* >> Intent to Prototype: >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANMmsAtRdyRw1WtO5va0K%3D_adYH-FRh01xvw5%2BosSd_DAq%3D%3DUQ%40mail.gmail.com >> >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com>. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/698a7e93.050a0220.29f6fd.0504.GAE%40google.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/698a7e93.050a0220.29f6fd.0504.GAE%40google.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK2Cwb51e%3DwR-fgt0ir%3DDUuhpLSMOOR_0npzb1Fvw6mv2vg78Q%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK2Cwb51e%3DwR-fgt0ir%3DDUuhpLSMOOR_0npzb1Fvw6mv2vg78Q%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD_OO4gXY%3DzgwDvoU8x8q5LNBqxRqMVLjn3SpqMxk4fVE%3DMZCQ%40mail.gmail.com.
