From 39a06f43f49b0d326217bf7808cb68b85499fa66 Mon Sep 17 00:00:00 2001 From: Dustin Healy <54083382+dustinhealy@users.noreply.github.com> Date: Wed, 24 Jun 2026 08:30:06 -0700 Subject: [PATCH] fix(mcp): restrict sandbox form submissions to the declared egress form-action does not fall back to default-src, so with the inner iframe created allow-forms a script could submit a hidden form to any origin and bypass the connectDomains deny-by-default egress policy. The generated sandbox CSP now sets form-action to the same declared connect allowlist ('none' when none is set). --- client/public/mcp-sandbox.html | 3 +++ 1 file changed, 3 insertions(+) diff --git a/client/public/mcp-sandbox.html b/client/public/mcp-sandbox.html index f2e5483dab..04264aa431 100644 --- a/client/public/mcp-sandbox.html +++ b/client/public/mcp-sandbox.html @@ -158,6 +158,9 @@ ("script-src 'unsafe-inline' " + resourceDomains).trim(), ("style-src 'unsafe-inline' " + resourceDomains).trim(), "connect-src " + connectDomains, + // form-action does not fall back to default-src, so with allow-forms a form could post to + // any origin; bound it to the declared egress allowlist ('none' when none is declared). + "form-action " + connectDomains, ("img-src data: blob: " + resourceDomains).trim(), ("media-src " + (resourceDomains || "'none'")).trim(), ("font-src " + (resourceDomains || "'none'")).trim(),