Skip to content

Commit f96c526

Browse files
liadyliady
authored
docs: update UI resource format and metadata fields (#4)
* Update UI resource format and metadata fields Create a unified object of UIResourceMetadata, as agreed in the SEP doc: ``` interface UiResourceMeta { csp?: { connectDomains?: string[], resourceDomains?: string[], }, domain?: string, prefersBorder?: boolean, } ``` * fix: json style * fix: style
1 parent fd38d79 commit f96c526

File tree

1 file changed

+29
-15
lines changed

1 file changed

+29
-15
lines changed

specification/draft/apps.mdx

Lines changed: 29 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,16 @@ interface UIResource {
5757
name: string; // Human-readable identifier
5858
description?: string; // Description of the UI resource
5959
mimeType: string; // SHOULD be 'text/vnd.mcp.ui+html' in MVP
60+
_meta?: UIResourceMeta // Resource Metadata
61+
}
62+
63+
interface UiResourceMeta {
64+
csp?: {
65+
connectDomains?: string[],
66+
resourceDomains?: string[],
67+
},
68+
domain?: string,
69+
prefersBorder?: boolean,
6070
}
6171
```
6272

@@ -71,12 +81,14 @@ The resource content is returned via `resources/read`:
7181
text?: string; // HTML content as string
7282
blob?: string; // OR base64-encoded HTML
7383
_meta?: {
74-
"ui/csp"?: {
75-
connect_domains?: string[]; // Origins for fetch/XHR/WebSocket
76-
resource_domains?: string[]; // Origins for images, scripts, styles
84+
"ui"?: {
85+
"csp"?: {
86+
connect_domains?: string[]; // Origins for fetch/XHR/WebSocket
87+
resource_domains?: string[]; // Origins for images, scripts, etc
88+
};
89+
"domain"?: string;
90+
"prefersBorder"?: boolean;
7791
};
78-
"ui/domain"?: string;
79-
"ui/prefersBorder"?: boolean;
8092
};
8193
}];
8294
}
@@ -91,7 +103,7 @@ The resource content is returned via `resources/read`:
91103

92104
#### Metadata Fields:
93105

94-
**`ui/csp` - Content Security Policy configuration**
106+
**`ui.csp` - Content Security Policy configuration**
95107

96108
Servers declare which external origins their UI needs to access. Hosts use this to enforce appropriate CSP headers.
97109

@@ -106,14 +118,14 @@ Servers declare which external origins their UI needs to access. Hosts use this
106118
- Wildcard subdomains supported: `https://*.example.com`
107119
- Maps to CSP `img-src`, `script-src`, `style-src`, `font-src` directives
108120

109-
**`ui/domain` - Dedicated origin for widget**
121+
**`ui.domain` - Dedicated origin for widget**
110122

111123
Optional domain for the widget's sandbox origin. Useful when widgets need dedicated origins for API key allowlists or cross-origin isolation.
112124

113125
- Example: `"https://weather-widget.example.com"`
114126
- If omitted, Host uses default sandbox origin
115127

116-
**`ui/prefersBorder` - Visual boundary preference**
128+
**`ui.prefersBorder` - Visual boundary preference**
117129

118130
Boolean indicating the UI prefers a visible border. Useful for widgets that might blend with host background.
119131

@@ -123,7 +135,7 @@ Boolean indicating the UI prefers a visible border. Useful for widgets that migh
123135
#### Host Behavior:
124136

125137
- **CSP Enforcement:** Host MUST construct CSP headers based on declared domains
126-
- **Restrictive Default:** If `ui/csp` is omitted, Host MUST use:
138+
- **Restrictive Default:** If `ui.csp` is omitted, Host MUST use:
127139

128140
```
129141
default-src 'none';
@@ -154,11 +166,13 @@ Example:
154166
"mimeType": "text/vnd.mcp.ui+html",
155167
"text": "<!DOCTYPE html><html>...</html>",
156168
"_meta": {
157-
"ui/csp": {
158-
"connect_domains": ["https://api.openweathermap.org"],
159-
"resource_domains": ["https://cdn.jsdelivr.net"]
160-
},
161-
"ui/prefersBorder": true
169+
"ui" : {
170+
"csp": {
171+
"connect_domains": ["https://api.openweathermap.org"],
172+
"resource_domains": ["https://cdn.jsdelivr.net"]
173+
},
174+
"prefersBorder": true
175+
}
162176
}
163177
}]
164178
}
@@ -282,7 +296,7 @@ If the Host is a web page, it MUST wrap the Guest UI and communicate with it thr
282296
3. The Sandbox MUST send a `ui/sandbox-ready` notification to the host when it’s ready to process an `ui/sandbox-resource-ready` notification.
283297
4. Once the Sandbox is ready, the Host MUST send the raw HTML resource to load in a `ui/sandbox-resource-ready` notification.
284298
5. The Sandbox MUST load the raw HTML of the Guest UI with CSP settings that:
285-
- Enforce the domains declared in `ui/csp` metadata
299+
- Enforce the domains declared in `ui.csp` metadata
286300
- Prevent nested iframes (`frame-src 'none'`)
287301
- Block dangerous features (`object-src 'none'`, `base-uri 'self'`)
288302
- Apply restrictive defaults if no CSP metadata is provided

0 commit comments

Comments
 (0)