@modelcontextprotocol/ext-apps - v1.1.2
    Preparing search index...

    Interface McpUiResourceCsp

    Content Security Policy configuration for UI resources.

    Servers declare which origins their UI requires. Hosts use this to enforce appropriate CSP headers.

    Important

    MCP App HTML runs in a sandboxed iframe with no same-origin server. All origins must be declared—including where your bundled JS/CSS is served from (localhost in dev, your CDN in production).

    interface McpUiResourceCsp {
        baseUriDomains?: string[];
        connectDomains?: string[];
        frameDomains?: string[];
        resourceDomains?: string[];
    }
    Index

    Properties

    baseUriDomains? connectDomains? frameDomains? resourceDomains?

    Properties

    baseUriDomains?: string[]

    Allowed base URIs for the document.

    • Maps to CSP base-uri directive
    • Empty or omitted → only same origin allowed (base-uri 'self')
    ["https://cdn.example.com"]
    connectDomains?: string[]

    Origins for network requests (fetch/XHR/WebSocket).

    • Maps to CSP connect-src directive
    • Empty or omitted → no network connections (secure default)
    ["https://api.weather.com", "wss://realtime.service.com"]
    frameDomains?: string[]

    Origins for nested iframes.

    • Maps to CSP frame-src directive
    • Empty or omitted → no nested iframes allowed (frame-src 'none')
    ["https://www.youtube.com", "https://player.vimeo.com"]
    resourceDomains?: string[]

    Origins for static resources (images, scripts, stylesheets, fonts, media).

    • Maps to CSP img-src, script-src, style-src, font-src, media-src directives
    • Wildcard subdomains supported: https://*.example.com
    • Empty or omitted → no network resources (secure default)
    ["https://cdn.jsdelivr.net", "https://*.cloudflare.com"]

    Settings

    Member Visibility

    On This Page

    Properties