fix sandbox isolation + "test in prod"

ochafik · ochafik · commit d310c4d8d05a · 2025-11-25T02:36:39.000Z
diff --git a/examples/simple-host/package.json b/examples/simple-host/package.json
@@ -4,10 +4,9 @@
   "version": "1.0.0",
   "type": "module",
   "scripts": {
-    "start:server": "tsx server.ts",
+    "start:server": "bun serve.ts",
     "start:mcp-server": "cd ../simple-server && npm install && npm run start",
     "build": "concurrently 'INPUT=example-host-vanilla.html vite build' 'INPUT=example-host-react.html vite build' 'INPUT=sandbox.html vite build'",
-    "server": "bun server.ts",
     "start": "NODE_ENV=development npm run build && concurrently 'npm run start:server' 'npm run start:mcp-server'"
   },
   "dependencies": {
@@ -23,9 +22,9 @@
     "@types/react-dom": "^19.2.2",
     "@types/react": "^19.2.2",
     "@vitejs/plugin-react": "^4.3.4",
+    "bun": "^1.3.2",
     "concurrently": "^9.2.1",
     "cors": "^2.8.5",
-    "esbuild": "~0.19.10",
     "express": "^5.1.0",
     "prettier": "^3.6.2",
     "tsx": "^4.20.6",
diff --git a/examples/simple-host/serve.ts b/examples/simple-host/serve.ts
@@ -0,0 +1,80 @@
+#!/usr/bin/env npx tsx
+/**
+ * HTTP servers for the MCP UI example:
+ * - Host server (port 8080): serves host HTML files (React and Vanilla examples)
+ * - Sandbox server (port 8081): serves sandbox.html with permissive CSP
+ *
+ * Running on separate ports ensures proper origin isolation for security.
+ */
+
+import express from "express";
+import cors from "cors";
+import { fileURLToPath } from "url";
+import { dirname, join } from "path";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+const HOST_PORT = parseInt(process.env.HOST_PORT || "8080", 10);
+const SANDBOX_PORT = parseInt(process.env.SANDBOX_PORT || "8081", 10);
+const DIRECTORY = join(__dirname, "dist");
+
+// ============ Host Server (port 8080) ============
+const hostApp = express();
+hostApp.use(cors());
+
+// Exclude sandbox.html from host server
+hostApp.use((req, res, next) => {
+  if (req.path === "/sandbox.html") {
+    res.status(404).send("Sandbox is served on a different port");
+    return;
+  }
+  next();
+});
+
+hostApp.use(express.static(DIRECTORY));
+
+hostApp.get("/", (_req, res) => {
+  res.redirect("/example-host-react.html");
+});
+
+// ============ Sandbox Server (port 8081) ============
+const sandboxApp = express();
+sandboxApp.use(cors());
+
+// Permissive CSP for sandbox content
+sandboxApp.use((_req, res, next) => {
+  const csp = [
+    "default-src 'self'",
+    "img-src * data: blob: 'unsafe-inline'",
+    "style-src * blob: data: 'unsafe-inline'",
+    "script-src * blob: data: 'unsafe-inline' 'unsafe-eval'",
+    "connect-src *",
+    "font-src * blob: data:",
+    "media-src * blob: data:",
+    "frame-src * blob: data:",
+  ].join("; ");
+  res.setHeader("Content-Security-Policy", csp);
+  res.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
+  res.setHeader("Pragma", "no-cache");
+  res.setHeader("Expires", "0");
+  next();
+});
+
+sandboxApp.get(["/", "/sandbox.html"], (_req, res) => {
+  res.sendFile(join(DIRECTORY, "sandbox.html"));
+});
+
+sandboxApp.use((_req, res) => {
+  res.status(404).send("Only sandbox.html is served on this port");
+});
+
+// ============ Start both servers ============
+hostApp.listen(HOST_PORT, () => {
+  console.log(`Host server:    http://localhost:${HOST_PORT}`);
+});
+
+sandboxApp.listen(SANDBOX_PORT, () => {
+  console.log(`Sandbox server: http://localhost:${SANDBOX_PORT}`);
+  console.log("\nPress Ctrl+C to stop\n");
+});
diff --git a/examples/simple-host/server.ts b/examples/simple-host/server.ts
diff --git a/examples/simple-host/src/example-host-react.tsx b/examples/simple-host/src/example-host-react.tsx
@@ -8,7 +8,7 @@ import { Tool } from "@modelcontextprotocol/sdk/types.js";
 import { AppRenderer, AppRendererProps } from "../src/AppRenderer";
 import { AppBridge } from "../../../dist/src/app-bridge";
 
-const SANDBOX_PROXY_URL = URL.parse("/sandbox.html", location.href)!;
+const SANDBOX_PROXY_URL = new URL("http://localhost:8081/sandbox.html");
 
 /**
  * Example React application demonstrating the AppRenderer component.
diff --git a/examples/simple-host/src/example-host-vanilla.ts b/examples/simple-host/src/example-host-vanilla.ts
@@ -18,7 +18,7 @@ import {
   McpUiSizeChangeNotificationSchema,
 } from "@modelcontextprotocol/ext-apps";
 
-const SANDBOX_PROXY_URL = URL.parse("/sandbox.html", location.href)!;
+const SANDBOX_PROXY_URL = new URL("http://localhost:8081/sandbox.html");
 
 window.addEventListener("load", async () => {
   const client = new Client({
diff --git a/examples/simple-host/src/sandbox.ts b/examples/simple-host/src/sandbox.ts
@@ -15,6 +15,15 @@ if (!document.referrer.match(/^http:\/\/(localhost|127\.0\.0\.1)(:|\/|$)/)) {
   );
 }
 
+// Try and break out of this iframe
+try {
+  window.top!.alert("If you see this, the sandbox is not setup securely.");
+
+  throw new Error('Managed to break out of iframe, the sandbox is not setup securely.');
+} catch (e) {
+  // Ignore
+}
+
 const inner = document.createElement("iframe");
 inner.style = "width:100%; height:100%; border:none;";
 inner.setAttribute("sandbox", "allow-scripts allow-same-origin allow-forms");
