Bug Description

MCP apps that specify resourceDomains in their CSP configuration cannot load external scripts and stylesheets from those domains. The CSP (Content Security Policy) currently only includes resource domains for connect-src, img-src, and font-src, but not for script-src and style-src.

Steps to Reproduce

1. Create a Skybridge template MCP server:

   npm create skybridge@latest

2. In VSCode, add MCP server via HTTP:

   • Open MCP settings
   • Add server with HTTP endpoint: http://localhost:3000/mcp

3. Add the following to your user settings:

   {
       "chat.mcp.apps.enabled": true
   }

4. In the chat, send the following message:

   Magic Ball : tell me, am i the greatest developer
   

5. Open Developer Tools (Help > Toggle Developer Tools)

6. Check the Console for CSP violation errors

Expected Behavior

External scripts and stylesheets from domains specified in the MCP app's resourceDomains configuration should be allowed to load without CSP violations.

Actual Behavior

Scripts and styles are blocked by CSP with errors in the console, even though the domains are specified in the app's configuration.

Environment

• VSCode Version: 1.109.0-insider
• Commit: 7c62052
• OS: Darwin arm64 25.1.0

Location in Code

File: src/vs/workbench/contrib/chat/browser/widget/chatContentParts/toolInvocationParts/chatMcpAppModel.ts:254-255

The CSP configuration needs to include ${cleanDomains(csp?.resourceDomains)} in both script-src and style-src directives, similar to how it's already included in img-src and font-src.