LibreChat/client
Dustin Healy ac2812ba2f fix(mcp): use window.location.origin as trusted sandbox origin
The previous approach derived trustedOrigin from document.referrer at
startup and fell back to '*' when referrer was empty, with a lazy-set
from the first incoming message as a further fallback. Both paths leave
a window where notifyReady broadcasts to all frames or the origin can
be set by an untrusted first message.

The sandbox is always served same-origin with LibreChat (/api/mcp/sandbox),
so window.location.origin is always the exact parent origin. This replaces
the referrer parse and lazy-set entirely: trustedOrigin is a const set at
parse time, notifyReady uses it directly, and the message handler rejects
any message whose origin does not match without fallback.
2026-06-23 18:47:28 -07:00
..
public fix(mcp): use window.location.origin as trusted sandbox origin 2026-06-23 18:47:28 -07:00
scripts
src fix(mcp): harden sandbox security and fix stale closures, error states 2026-06-23 18:35:27 -07:00
sw 🛟 fix: Auto-Recover from Stale Service Worker Assets After Deploys (#13686) 2026-06-11 11:57:06 -04:00
test 🧑‍🎨 refactor: Prompts/Sidebar styles for improved UI Consistency (#12426) 2026-04-09 00:02:31 -04:00
babel.config.cjs 🧑‍🎨 refactor: Prompts/Sidebar styles for improved UI Consistency (#12426) 2026-04-09 00:02:31 -04:00
check_updates.sh
index.html 🛟 fix: Auto-Recover from Stale Service Worker Assets After Deploys (#13686) 2026-06-11 11:57:06 -04:00
jest.config.cjs feat: MCP Apps support (squashed for rebase) 2026-06-21 23:55:17 -07:00
nginx.conf 📬 docs: Add Forwarded Headers to Nginx SSL Proxy Template (#12379) 2026-03-25 13:04:19 -04:00
package.json refactor: replace @mcp-ui/client with @modelcontextprotocol/ext-apps/app-bridge 2026-06-23 13:55:56 -07:00
postcss.config.cjs
tailwind.config.cjs
tsconfig.json 👷 ci: Type-check the Client Workspace (#13560) 2026-06-06 18:40:31 -04:00
vite.config.ts 🛟 fix: Auto-Recover from Stale Service Worker Assets After Deploys (#13686) 2026-06-11 11:57:06 -04:00