Skip to content

docs(skill): add CSP location and CORS pitfalls to common mistakes #407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
antonpk1 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

docs(skill): add CSP location and CORS pitfalls to common mistakes #407

antonpk1 wants to merge 2 commits into from
+15 −0

Conversation

@antonpk1
Copy link
Collaborator

@antonpk1 antonpk1 commented Jan 30, 2026
edited
Loading

Add three new items to the 'Common Mistakes to Avoid' section in the create-mcp-app skill:

@antonpk1
docs(skill): add CSP location and CORS pitfalls to common mistakes
e4d92c2 
Add three new items to the 'Common Mistakes to Avoid' section:
- CSP _meta must be in contents array, not registerResource config
- Localhost/private IPs blocked in CSP validation
- CORS vs CSP confusion with ui.domain guidance
@pkg-pr-new
Copy link

pkg-pr-new bot commented Jan 30, 2026
edited
Loading

Open in StackBlitz

@modelcontextprotocol/ext-apps

npm i https://pkg.pr.new/modelcontextprotocol/ext-apps/@modelcontextprotocol/ext-apps@407

@modelcontextprotocol/server-arcade

npm i https://pkg.pr.new/modelcontextprotocol/ext-apps/@modelcontextprotocol/server-arcade@407

@modelcontextprotocol/server-basic-react

npm i https://pkg.pr.new/modelcontextprotocol/ext-apps/@modelcontextprotocol/server-basic-react@407

@modelcontextprotocol/server-basic-vanillajs

npm i https://pkg.pr.new/modelcontextprotocol/ext-apps/@modelcontextprotocol/server-basic-vanillajs@407

@modelcontextprotocol/server-budget-allocator

npm i https://pkg.pr.new/modelcontextprotocol/ext-apps/@modelcontextprotocol/server-budget-allocator@407

@modelcontextprotocol/server-cohort-heatmap

npm i https://pkg.pr.new/modelcontextprotocol/ext-apps/@modelcontextprotocol/server-cohort-heatmap@407

@modelcontextprotocol/server-customer-segmentation

npm i https://pkg.pr.new/modelcontextprotocol/ext-apps/@modelcontextprotocol/server-customer-segmentation@407

@modelcontextprotocol/server-map

npm i https://pkg.pr.new/modelcontextprotocol/ext-apps/@modelcontextprotocol/server-map@407

@modelcontextprotocol/server-pdf

npm i https://pkg.pr.new/modelcontextprotocol/ext-apps/@modelcontextprotocol/server-pdf@407

@modelcontextprotocol/server-scenario-modeler

npm i https://pkg.pr.new/modelcontextprotocol/ext-apps/@modelcontextprotocol/server-scenario-modeler@407

@modelcontextprotocol/server-shadertoy

npm i https://pkg.pr.new/modelcontextprotocol/ext-apps/@modelcontextprotocol/server-shadertoy@407

@modelcontextprotocol/server-sheet-music

npm i https://pkg.pr.new/modelcontextprotocol/ext-apps/@modelcontextprotocol/server-sheet-music@407

@modelcontextprotocol/server-system-monitor

npm i https://pkg.pr.new/modelcontextprotocol/ext-apps/@modelcontextprotocol/server-system-monitor@407

@modelcontextprotocol/server-threejs

npm i https://pkg.pr.new/modelcontextprotocol/ext-apps/@modelcontextprotocol/server-threejs@407

@modelcontextprotocol/server-transcript

npm i https://pkg.pr.new/modelcontextprotocol/ext-apps/@modelcontextprotocol/server-transcript@407

@modelcontextprotocol/server-video-resource

npm i https://pkg.pr.new/modelcontextprotocol/ext-apps/@modelcontextprotocol/server-video-resource@407

@modelcontextprotocol/server-wiki-explorer

npm i https://pkg.pr.new/modelcontextprotocol/ext-apps/@modelcontextprotocol/server-wiki-explorer@407

commit: 5aa4c6c

@jonathanhefner
Copy link
Member

jonathanhefner commented Jan 30, 2026

I've added some more guidance for these in docs/patterns.md and in the API docs:

ext-apps/docs/patterns.md

Line 299 in ec0f217

## Configuring CSP and CORS

ext-apps/src/spec.types.ts

Lines 545 to 550 in ec0f217

* > [!IMPORTANT]
* > MCP App HTML runs in a sandboxed iframe with no same-origin server.
* > **All** origins must be declared—including where your bundled JS/CSS is
* > served from (`localhost` in dev, your CDN in production).
*/
export interface McpUiResourceCsp {

ext-apps/src/server/index.ts

Line 273 in ec0f217

* @example With CSP configuration for external domains

ext-apps/src/server/index.ts

Line 302 in ec0f217

* @example With stable origin for external API CORS allowlists

I've also opened #416 to refactor the skill to lean more on docs/patterns.md and to include the following "Common Mistakes":

  1. Missing CSP configuration - MCP Apps HTML is served as an MCP resource with no same-origin server; ALL network requests—even to localhost—require a CSP configuration
  2. CSP or CORS config in wrong _meta object - _meta.ui.csp and _meta.ui.domain go in the contents[] objects returned by registerAppResource()'s read callback, not in registerAppResource()'s config object

If you have some troublesome prompts, I can try them with the new version of the skill and iterate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jonathanhefner jonathanhefner Awaiting requested review from jonathanhefner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@antonpk1 @jonathanhefner