docs: frameDomains and baseUriDomains for mcp apps#6684
Merged
dianed-square merged 1 commit intomainfrom Jan 23, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR documents two additional Content Security Policy (CSP) configuration options for MCP Apps: frameDomains and baseUriDomains. These options allow developers to configure iframe embedding and base URI restrictions in their MCP App security policies.
Changes:
- Added
frameDomainsandbaseUriDomainsto the CSP configuration example - Added a new "Content Security Policy Configuration" section with a detailed table explaining all four CSP options (
connectDomains,resourceDomains,frameDomains,baseUriDomains) - Included practical examples showing how to embed maps and load CDN resources
- Added a security warning about minimizing domain allowlists
Contributor
|
blackgirlbytes
approved these changes
Jan 23, 2026
zanesq
added a commit
that referenced
this pull request
Jan 26, 2026
* origin/main: fix: dispatch ADD_ACTIVE_SESSION event before navigating from "View All" (#6679) Speed up Databricks provider init by removing fetch of supported models (#6616) fix: correct typos in documentation and Justfile (#6686) docs: frameDomains and baseUriDomains for mcp apps (#6684) docs: add Remotion video creation tutorial (#6675) docs: export recipe and copy yaml (#6680) Test against fastmcp (#6666) docs: mid-session changes (#6672) Fix MCP elicitation deadlock and improve UX (#6650) chore: upgrade to rmcp 0.14.0 (#6674) [docs] add MCP-UI to MCP Apps blog (#6664) ACP get working dir from args.cwd (#6653) Optimise load config in UI (#6662) # Conflicts: # ui/desktop/src/components/Layout/AppLayout.tsx
This was referenced Jan 27, 2026
zanesq
added a commit
that referenced
this pull request
Jan 27, 2026
…upport * origin/main: (79 commits) fix[format/openai]: return error on empty msg. (#6511) Fix: ElevenLabs API Key Not Persisting (#6557) Logging uplift for model training purposes (command injection model) [Small change] (#6330) fix(goose): only send agent-session-id when a session exists (#6657) BERT-based command injection detection in tool calls (#6599) chore: [CONTRIBUTING.md] add Hermit to instructions (#6518) fix: update Gemini context limits (#6536) Document r slash command (#6724) Upgrade GitHub Actions to latest versions (#6700) fix: Manual compaction does not update context window. (#6682) Removed the Acceptable Usage Policy (#6204) Document spellcheck toggle (#6721) fix: docs workflow cleanup and prevent cancellations (#6713) Docs: file bug directly (#6718) fix: dispatch ADD_ACTIVE_SESSION event before navigating from "View All" (#6679) Speed up Databricks provider init by removing fetch of supported models (#6616) fix: correct typos in documentation and Justfile (#6686) docs: frameDomains and baseUriDomains for mcp apps (#6684) docs: add Remotion video creation tutorial (#6675) docs: export recipe and copy yaml (#6680) ... # Conflicts: # ui/desktop/src/hooks/useChatStream.ts
katzdave
added a commit
that referenced
this pull request
Jan 27, 2026
…ovider * 'main' of github.com:block/goose: fix: Manual compaction does not update context window. (#6682) Removed the Acceptable Usage Policy (#6204) Document spellcheck toggle (#6721) fix: docs workflow cleanup and prevent cancellations (#6713) Docs: file bug directly (#6718) fix: dispatch ADD_ACTIVE_SESSION event before navigating from "View All" (#6679) Speed up Databricks provider init by removing fetch of supported models (#6616) fix: correct typos in documentation and Justfile (#6686) docs: frameDomains and baseUriDomains for mcp apps (#6684)
This was referenced Jan 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR documents
frameDomainsandbaseUriDomainsCSP configuration options for MCP Apps.Documentation updates:
documentation/docs/tutorials/building-mcp-apps.md:frameDomainsandbaseUriDomainsto CSP configuration exampleType of Change
AI Assistance
Testing
Manually tested CSP configuration with OpenStreetMap iframe embedding