Relax double sandboxed iframe architecture requirements#717
Relax double sandboxed iframe architecture requirements#717domfarolino wants to merge 2 commits into
Conversation
Update UI initialization diagram
| Hosts act as MCP servers (that can proxy the actual MCP server), receiving and handling requests from UI iframes. | ||
|
|
||
| ### Sandbox proxy | ||
| ### <span id=sandbox-proxy>Rendering the MCP App</span> |
There was a problem hiding this comment.
In web standards world, we have a policy where any standards link should effectively live ~forever. This header title change would ordinarly break links to this section, but the <span> preserves the old ID so old links keep working after this PR.
If this is too pedantic, lmk and I'll revert :)
| - If `permissions` is declared in `UIResourceMeta`, the Host MAY set the iframe's `allow` attribute accordingly | ||
|
|
||
| > [!WARNING] | ||
| > The document in the iframe that will host the MCP App view content MUST be served by a server the Host controls, in order to guarantee that the security properties specified by the tool definition (e.g., CSP) are set via HTTP headers properly. Relying on a third-party MCP server to serve the document in this iframe is not permitted by this specification, as Hosts would forfeit control over the app's most sensitive security properties. |
There was a problem hiding this comment.
This is not a new requirement; it just backs up and elaborates on the one in https://github.com/modelcontextprotocol/ext-apps/blob/main/specification/draft/apps.mdx#4-content-security-policy-enforcement, which is that the Host, not the third-party MCP server, must serve the document that bears CSP headers, because that's the only way the Host can enforce the headers.
|
Also /cc @fredericbarthelet who may be interested in this change! |
@modelcontextprotocol/ext-apps
@modelcontextprotocol/server-basic-preact
@modelcontextprotocol/server-basic-react
@modelcontextprotocol/server-basic-solid
@modelcontextprotocol/server-basic-svelte
@modelcontextprotocol/server-basic-vanillajs
@modelcontextprotocol/server-basic-vue
@modelcontextprotocol/server-budget-allocator
@modelcontextprotocol/server-cohort-heatmap
@modelcontextprotocol/server-customer-segmentation
@modelcontextprotocol/server-debug
@modelcontextprotocol/server-lazy-auth
@modelcontextprotocol/server-map
@modelcontextprotocol/server-pdf
@modelcontextprotocol/server-scenario-modeler
@modelcontextprotocol/server-shadertoy
@modelcontextprotocol/server-sheet-music
@modelcontextprotocol/server-system-monitor
@modelcontextprotocol/server-threejs
@modelcontextprotocol/server-transcript
@modelcontextprotocol/server-video-resource
@modelcontextprotocol/server-wiki-explorer
commit: |
Motivation and Context
The spec requires Hosts to render MCP Apps in a double sandbox iframe architecture and use the reserved proxy messages as a set-up ritual, as evidenced by requirements in § Sandbox proxy and other sections.
While a double sandboxed iframe architecture is a valid approach, it is not required to render MCP Apps security, and is more complicated than a single sandboxed iframe approach that satisfies the same security requirements. It'd be best if the spec were generally unopinionated about the exact framing architecture, as it is effectively a Host implementation detail—it has no bearing on the communication and compatibility between Hosts and Views.
This PR relaxes the specification to allow arbitrary framing architectures that meet a set of general security criteria, thus satisfying #716. This PR closes #716, and probably is enough to close #603 too, since a compliant Host could stream the bytes of an MCP App resources from its own 1p server directly into a single sandboxed iframe as the document resource.
How Has This Been Tested?
Google Gemini will be using a single sandboxed iframe architecture for simplicity and performance. Also, a follow-up PR to this one will be made to migrate
examples/basic-hostto a single sandboxed iframe architecture, as to not give the impression that a double sandboxed iframe approach is necessary or "recommended".Breaking Changes
Nope! It should be noted though that this change is theoretically observable. If a Host went from using a double sandboxed iframe approach to a single one, an MCP App View could observe this by counting the
window.parenthops between it andwindow.top. However, it's unlikely any MCP App code relies on this.Types of changes
Checklist
main. All screenshot tests fail for me before and after this change too, because the baseline screenshots checked into the repository seem to expect a very specific OS font package that playwright is not displaying on macOS by default. But this PR is spec-only, so it shouldn't have any actual impact on test execution.