Skip to content

Synchronize object-src 'none' with default-src 'none'#715

Merged
idosal merged 1 commit into
modelcontextprotocol:mainfrom
domfarolino:object-src
Jul 17, 2026
Merged

Synchronize object-src 'none' with default-src 'none'#715
idosal merged 1 commit into
modelcontextprotocol:mainfrom
domfarolino:object-src

Conversation

@domfarolino

@domfarolino domfarolino commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

This change is purely editorial.

Section §4. Content Security Policy Enforcement describes how hosts MUST construct CSP headers from resource metadata. It includes object-src 'none' and default-src 'none' which is technically redundant since object-src uses default-src as a fallback, per https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/object-src. Despite the redundancy, I think it's good to be verbose here.

Related, the §Host Behavior describes a restrictive default CSP that Hosts MUST use if ui.csp is missing. This includes default-src 'none' which implicitly protects us from <object> and <embed> elements, but does not include object-src 'none' explicitly. This is technically fine, but we should synchronize these two sections, so this PR simply adds object-src 'none' to the restrictive default, for completeness, even though it has no observable effect on app content or even CSP violation reports (because default-src 'none' is already specified).

@domfarolino

Copy link
Copy Markdown
Contributor Author

Not sure who the best person to look at this is, but maybe @ochafik can give it a quick peek?

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR makes the draft specification’s “restrictive default” CSP example explicitly include object-src 'none' so it matches the verbosity used elsewhere in the document, even though default-src 'none' already implies the same restriction.

Changes:

  • Add object-src 'none' to the “Restrictive Default” CSP shown under “§Host Behavior” when ui.csp is omitted.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@idosal idosal left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @domfarolino !

@pkg-pr-new

pkg-pr-new Bot commented Jul 16, 2026

Copy link
Copy Markdown

Open in StackBlitz

@modelcontextprotocol/ext-apps

npm i https://pkg.pr.new/@modelcontextprotocol/ext-apps@715

@modelcontextprotocol/server-basic-preact

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-preact@715

@modelcontextprotocol/server-basic-react

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-react@715

@modelcontextprotocol/server-basic-solid

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-solid@715

@modelcontextprotocol/server-basic-svelte

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-svelte@715

@modelcontextprotocol/server-basic-vanillajs

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-vanillajs@715

@modelcontextprotocol/server-basic-vue

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-vue@715

@modelcontextprotocol/server-budget-allocator

npm i https://pkg.pr.new/@modelcontextprotocol/server-budget-allocator@715

@modelcontextprotocol/server-cohort-heatmap

npm i https://pkg.pr.new/@modelcontextprotocol/server-cohort-heatmap@715

@modelcontextprotocol/server-customer-segmentation

npm i https://pkg.pr.new/@modelcontextprotocol/server-customer-segmentation@715

@modelcontextprotocol/server-debug

npm i https://pkg.pr.new/@modelcontextprotocol/server-debug@715

@modelcontextprotocol/server-lazy-auth

npm i https://pkg.pr.new/@modelcontextprotocol/server-lazy-auth@715

@modelcontextprotocol/server-map

npm i https://pkg.pr.new/@modelcontextprotocol/server-map@715

@modelcontextprotocol/server-pdf

npm i https://pkg.pr.new/@modelcontextprotocol/server-pdf@715

@modelcontextprotocol/server-scenario-modeler

npm i https://pkg.pr.new/@modelcontextprotocol/server-scenario-modeler@715

@modelcontextprotocol/server-shadertoy

npm i https://pkg.pr.new/@modelcontextprotocol/server-shadertoy@715

@modelcontextprotocol/server-sheet-music

npm i https://pkg.pr.new/@modelcontextprotocol/server-sheet-music@715

@modelcontextprotocol/server-system-monitor

npm i https://pkg.pr.new/@modelcontextprotocol/server-system-monitor@715

@modelcontextprotocol/server-threejs

npm i https://pkg.pr.new/@modelcontextprotocol/server-threejs@715

@modelcontextprotocol/server-transcript

npm i https://pkg.pr.new/@modelcontextprotocol/server-transcript@715

@modelcontextprotocol/server-video-resource

npm i https://pkg.pr.new/@modelcontextprotocol/server-video-resource@715

@modelcontextprotocol/server-wiki-explorer

npm i https://pkg.pr.new/@modelcontextprotocol/server-wiki-explorer@715

commit: 5450b2e

@idosal
idosal merged commit 2ca6a59 into modelcontextprotocol:main Jul 17, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants