mcp-data-platform-v0.35.10
Bug Fixes
JSX public viewer: fix broken component rendering (#199)
JSX public view links (/portal/view/{token}) were completely broken — the browser threw TypeError: Failed to fetch dynamically imported module and the component never rendered.
Root cause: Per the CSP3 spec, srcdoc iframes inherit the parent page's CSP headers. The effective CSP is the intersection of the parent's CSP header and the iframe's own <meta> CSP. The parent's publicCSP() was far more restrictive than the iframe's meta CSP, so the intersection blocked:
| Directive | What was blocked |
|---|---|
script-src |
esm.sh module loading (Sucrase, React), eval (Sucrase transform), blob: (dynamic import of transformed code) |
style-src |
Google Fonts CSS |
connect-src |
fetch() to esm.sh |
font-src |
Google Fonts files |
Fix: Aligned the parent page's CSP with the iframe's meta CSP so the intersection no longer strips required permissions. Also added blob: to script-src in the iframe meta CSP — the public viewer wraps Sucrase-transformed JSX in a Blob and runs await import(blobUrl), which requires blob: in script-src.
Security note: The expanded CSP (unsafe-eval, unsafe-inline, blob:) is scoped only to the JSX content type branch and applies to a sandboxed iframe (sandbox="allow-scripts" without allow-same-origin), so the iframe cannot access parent-page cookies, storage, or origin.
Files changed
pkg/portal/public.go— expandedpublicCSP()JSX branch; addedblob:to iframe meta CSPpkg/portal/public_test.go— updatedTestPublicCSPandTestJsxIframeto verify all CSP directives
Installation
Homebrew (macOS)
brew install txn2/tap/mcp-data-platformClaude Code CLI
claude mcp add mcp-data-platform -- mcp-data-platformDocker
docker pull ghcr.io/txn2/mcp-data-platform:v0.35.10Verification
All release artifacts are signed with Cosign. Verify with:
cosign verify-blob --bundle mcp-data-platform_0.35.10_linux_amd64.tar.gz.sigstore.json \
mcp-data-platform_0.35.10_linux_amd64.tar.gz