mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-07-01 11:53:55 +00:00
Grant allow-same-origin to the sandbox inner frame only when the sandbox runs on a dedicated origin (parentOrigin differs from the sandbox origin), matching the spec dedicated-origin model so storage-backed apps work there while same-origin deployments stay isolated from the host. Push host-context updates to a live app: a MutationObserver on the document theme class sends sendHostContextChange with the new theme and derived style tokens when the user toggles light or dark while an app is open. Provide the standardized MCP Apps CSS theme variables (a mapped subset of LibreChat tokens) in the initial hostContext and on theme change. Add an opt-in strict CSP (VITE_MCP_SANDBOX_STRICT_CSP) that drops unsafe-eval, wasm-unsafe-eval, blob:, and data: from the sandbox script-src, threaded to the sandbox via a strictCsp query param. |
||
|---|---|---|
| .. | ||
| assets | ||
| fonts | ||
| mcp-sandbox.html | ||
| robots.txt | ||