LibreChat/api/server
Dustin Healy 0f708c2eb8 fix(mcp): harden app CSP, fail closed on auth resolution, and rate-limit resource reads
Render non-app (no profile=mcp-app) ui:// HTML inert: the static srcDoc iframes in ToolCall,
MCPUIResource, and UIResourceCarousel now use sandbox="" so scripts and forms run only through the
CSP-applying sandbox proxy. Make the proxy's meta CSP unbypassable by wrapping any document whose
markup precedes <head>, so nothing untrusted is parsed before the policy takes effect.

Fail closed in resolveAppContext when MCP auth-value resolution throws, logging and rejecting rather
than proceeding with unresolved or stale credentials. Validate each MCP_SANDBOX_FRAME_ANCESTORS
token against a scheme://host[:port] pattern so a stray ";" cannot inject an extra CSP directive.

Rate-limit the app resource endpoints (resources/read, list, templates/list) per user, and correct
AppToolResult.content from an empty-tuple type to unknown[]. Add controller tests for the
frame-ancestors validation and the auth fail-closed path.
2026-06-30 17:30:56 -07:00
..
controllers fix(mcp): harden app CSP, fail closed on auth resolution, and rate-limit resource reads 2026-06-30 17:30:56 -07:00
middleware fix(mcp): harden app CSP, fail closed on auth resolution, and rate-limit resource reads 2026-06-30 17:30:56 -07:00
routes fix(mcp): harden app CSP, fail closed on auth resolution, and rate-limit resource reads 2026-06-30 17:30:56 -07:00
services
utils
cleanup.js
experimental.js
index.js
index.metrics.spec.js
index.spec.js
socialLogins.js
socialLogins.spec.js
telemetry.js
telemetry.spec.js