Allow Configuring Sandboxing

[mjallday]

Reading https://mcpui.dev/guide/client/resource-renderer and looking through the source code I see that by default there's some hardcoded logic to determine how to treat the sandbox attribute of the iFrame.

I believe we have a use-case where we want the iframe to allow submitting a form within it and then passing the result of the form submission back to the parent via the dom once the form submission result is available.

This issue is a change to discuss the implementation.

I was thinking of two approaches, not sure which is favored. Assume that both would be backwards compatible and the same behavior as today would work out of the box, these are just overrides.

1. Allow specifying additional sandbox permissions via the react component

<UIResourceRenderer
  resource={mcpResource.resource}
  supportedContentTypes={['rawHtml']}
  onUIAction={handleUIAction}
  sandboxPermissions="allow-forms allow-scripts"
/>

2. Allow specifying additional sandbox permissions via the MCP response payload

{
  "type": "resource",
  "resource": {
     "uri": "ui://product/gid://shopify/Product/123123",
     "mimeType": "text/uri-list",
     "text": "https://cdn.shopify.com/storefront/product.component?store_domain=demostore.mock.shop&product_handle=hoodie"
     "sandboxPermissions": "allow-forms allow-scripts"
  }
}

The first feels a little more secure since it's the client that's specifying the control. On the latter you're trusting the server to provide the correct permissions. Maybe ultimately both are required with the client setting the baseline but for an initial implementation I'd lean towards just the client side.

---

Ref #30

[mikeball]

I would agree the first seems more secure/explicit. Perhaps the resource payload could allow you to specify a requiredSandboxPermissions and throw exception if it's not explicitly allowed.

[idosal]

Thanks for bringing this up!

1. The first option is a degree of freedom that should be given to hosts. As mentioned, the servers can't define it, or they can abuse it to escape the sandbox. Added to the roadmap.
2. There's a built-in way for the iframed UI to communicate with the host! See https://mcpui.dev/guide/client/react-usage-examples#handling-asynchronous-actions-with-message-ids. Does that help your use case?

[liady]

@mjallday note that UIResourceRenderer already supports passing props directly to the iframe (through htmlProps.iframeProps), so a possible solution today will be:

<UIResourceRenderer
  resource={mcpResource.resource}
  supportedContentTypes={['rawHtml']}
  onUIAction={handleUIAction}
  htmlProps={{
    iframeProps: {
      sandbox: 'allow-forms allow-scripts',
    },
  }}
/>

Does that help?

[liady]

@mjallday there's a PR - #83 - to add a dedicated sandboxPermissions prop to not rely on an attribute override for this