claude-in-chrome: output sanitizer blocks URLs with two query params
Resolved 💬 1 comment Opened May 5, 2026 by lancejohnson Closed Jun 2, 2026
The javascript_tool output sanitizer blocks any string with = AND (; OR &), labeling it [BLOCKED: Cookie/query string data]. False-positives on every signed URL (S3/CloudFront/Skool/etc.) since ?a=1&b=2 matches.
Source: ~/Library/Application Support/Google/Chrome/Default/Extensions/<id>/<ver>/assets/mcpPermissions-*.js
if (e.includes("=") && (e.includes(";") || e.includes("&")))
return "[BLOCKED: Cookie/query string data]";
Cookies are ;-separated and lack a scheme; URLs start with http(s)://. The rule should distinguish them.
Breaks the common pattern of returning a signed asset URL out of Chrome to curl from the shell.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗