MCP-UI `allow-forms` in Goose?

[aharvard]

Question

Should MCP-UI <iframe /> instances in Goose allow-forms on the sandbox?

Use case: https://x.com/kentcdodds/status/1956134483020931415

Currently

When the <MCPUIResourceRenderer /> component in Goose receives raw HTML from an embedded resource in a tool response, it renders an <iframe /> like this:

<iframe 
  srcdoc="<html>...</html>" 
  sandbox="allow-scripts" 
  title="..." 
  style="...">
</iframe>

When the <MCPUIResourceRenderer /> component in Goose receives an external URL from an embedded resource in a tool response, it renders an <iframe /> like this:

<iframe 
  src="..." 
  sandbox="allow-scripts allow-same-origin" 
  title="..." 
  style="...">
</iframe>

This iframe comes from @mcp-ui/client, which automatically sets the iframe sandbox:

• for raw HTML: allow-scripts
• for external URL: allow-scripts allow-same-origin

Possible Config

We have the ability to override the sandbox permissions by setting htmlProps.iframeProps.sandbox to a string (refer to: https://x.com/idosal1/status/1956139895078183102).

This allows Goose to provide a more strict or more lenient CSP — coming soon is a more ergonomic approach MCP-UI-Org/mcp-ui#83.

// MCPUIResourceRenderer.tsx 

import { UIResourceRenderer } from '@mcp-ui/client';

// ...

<UIResourceRenderer
 resource={content.resource}
 onUIAction={handleUIAction}
 htmlProps={{
   iframeProps: {
     sandbox: 'allow-forms allow-scripts',
   },
   // other htmlProps are present in the source code but removed here for focused discussion
 }}
/>

// ...

<!-- assuming raw HTML is returned by the tool response, the above JSX would yield...  -->

<iframe 
  srcdoc="<html>...</html>" 
  sandbox="allow-forms allow-scripts" 
  title="..." 
  style="...">
</iframe>

Possible outcomes

Support allow-forms

If we want to add allow-forms to the sandbox of the MCP-UI <iframe />, this will be a quick implementation

Provide guidance for an alternative path

If we don't allow-forms, we need to document why not, and propose alternative solutions such as:

1. MCP-UI resources should be stateful and post via fetch api
2. MCP-UI resources should communicate a response to Goose via MCP UI actions (post messages)

References

1. MCP-UI: Allow Configuring Sandboxing Allow Configuring Sandboxing MCP-UI-Org/mcp-ui#68 (comment)
2. MCP-UI: feat: add sandbox permissions instead of an override feat: add sandbox permissions instead of an override MCP-UI-Org/mcp-ui#83

[kentcdodds]

The drawback for not allowing forms is that people then have to add click handlers on their form submit buttons because the forms can't fire the submit event. This makes the forms less accessible.

I'm not sure what the risk of allowing forms would be.

[liady]

Thanks @aharvard ! A note - now you can use sandboxPermissions that preserves the default permissions instead of overriding them. (so you can simply set it to allow-forms in order to allow forms, without specifying the other permissions)
https://mcpui.dev/guide/client/resource-renderer#props-details

One question - will it be helpful if the tool will return in its metadata (MCP-UI-Org/mcp-ui#49) which additional permissions it needs? We can limit it to allow-forms for now.
It won't solve the general question here but will at least limit it only for tools that specify this need.

[aharvard]

One question - will it be helpful if the tool will return in its metadata (MCP-UI-Org/mcp-ui#49) which additional permissions it needs? We can limit it to allow-forms for now.
It won't solve the general question here but will at least limit it only for tools that specify this need.

@liady Goose questions, I'm not sure. I was under the impression that we would want to fully manage the sandbox attribute in Goose.

Hoping to pull in some security folks this week to help! In the meantime, I'll work on cutting a pre-release build for @kentcdodds to play around with.

[aharvard]

I've opened a PR that upgrades @mcp-ui/client and sets htmlProps.sandboxPermissions to allow-forms #4164

[Abhijay007]

Hi @taniandjerry , @aharvard, ig we can close this one as we already have the merged PR for the same