High-risk tools in Chrome Devtools
18 of the 32 tools in Chrome Devtools are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
clickExecuteClicks on the provided element
-
click_atExecuteClicks at the provided coordinates
-
dragExecuteDrag an element onto another element
-
emulateExecuteEmulates various features on the selected page.
-
evaluate_scriptExecuteEvaluate a JavaScript function inside the currently selected page. Returns the response as JSON, so returned values have to be JSON-serializable.
-
fillExecuteType text into a input, text area or select an option from a <select> element.
-
handle_dialogExecuteIf a browser dialog was opened, use this command to handle it
-
hoverExecuteHover over the provided element
-
install_extensionExecuteInstalls a Chrome extension from the given path.
-
navigate_pageExecuteNavigates the currently selected page to a URL.
-
new_pageExecuteCreates a new page
-
performance_start_traceExecuteStarts a performance trace recording on the selected page. This can be used to look for performance problems and insights to improve the performance of the page. It will also re...
-
performance_stop_traceExecuteStops the active performance trace recording on the selected page.
-
press_keyExecutePress a key or key combination. Use this when other input methods like fill() cannot be used (e.g., keyboard shortcuts, navigation keys, or special key combinations).
-
reload_extensionExecuteReloads an unpacked Chrome extension by its ID.
-
resize_pageExecuteResizes the selected page
-
select_pageExecuteSelect a page as a context for future tool calls.
-
wait_forExecuteWait for the specified text to appear on the selected page.
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.