feat: support --allowedOrigins & --blockedOrigins in CLI

[sakupi01]

This PR adds URL validation functionality to restrict Puppeteer browser navigation to allowed origins.

• UrlValidator class with allowlist/denylist support using glob patterns
• CLI options (--allowedOrigins, --deniedOrigins) to configure URL filtering
• Request interception to block navigation to specific URLs

Motivation

When adopting browser automation MCPs in a corporate environment, it can be a good reason for adoption to restrict accessible origins to deal with security concerns. Flagging on which domains the MCP server can access (e.g. localhost only) prevents unintended navigation to unauthorized or potentially malicious sites while maintaining safe internal tool usage.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[sakupi01]

Build failed in local without zod, so I added. (I wonder if others don't have this issue.)

[OrKoN]

Thanks for the PR. We will review it once we are sure we want to use request interception for this. Request interception has a bunch of drawbacks. Could you please file an issue describing your use case instead so that we can collect the feedback from other users as well?

[sakupi01]

@OrKoN

Thank you for taking this into account!
Here's a detailed motivation of the PR: #239

[OrKoN]

Closing the PR, due to conflicts. We will use #239 to decided if we want to add this feature with the implementation based on https://chromedevtools.github.io/devtools-protocol/tot/Network/#method-setBlockedURLs

[noambenami]

FWIW in my company we are blocked from using this MCP due to the lack of this feature. We'll need to patch it in ourselves if not provided. Love to get this prioritized.