What does connectDomains vs resourceDomains mean in MCP CSP?

Connect domains allow runtime requests like `fetch()` and WebSocket. Resource domains allow static assets like scripts, stylesheets, images, and fonts. If your JavaScript code calls it at runtime, use connectDomains. If an HTML tag loads it, use resourceDomains.

Why is my MCP widget blank even though the API works?

Your API domain is likely in the wrong CSP array or missing entirely. Check the Network tab in dev tools for blocked requests. If a domain isn't declared in the matching CSP array, the browser silently blocks it. Also verify the domain scheme matches (https vs wss) and that any paired domains (like Google Fonts) are both declared.

Does MCP App CSP work differently on ChatGPT vs Claude?

The CSP mechanism is the same across platforms, but ChatGPT enforces stricter rules in published mode than dev mode and requires `_meta.ui.domain`. Claude and VS Code have similar sandboxing but different iframe origins. Always test your published app in the actual host environment, not just locally.

🛠️ Developer Tools

Why Your MCP App Widget Goes Blank: The Content Security Policy Trap

You built an MCP App. The server returns data. The widget is still blank. Here's why—and how to fix it in five minutes.

Open Source Beat Apr 03, 2026 5 min read 17 views

Code snippet showing MCP App CSP configuration with connectDomains, resourceDomains, and frameDomains arrays

⚡ Key Takeaways

CSP blocks all external requests by default—you must explicitly declare trusted domains in three arrays: connectDomains, resourceDomains, and frameDomains 𝕏
The #1 mistake is putting API domains in resourceDomains instead of connectDomains; runtime connections like fetch() require connectDomains 𝕏
Google Fonts and multi-domain services require both fonts.googleapis.com AND fonts.gstatic.com declared; missing one causes silent failures 𝕏
WebSocket connections use wss:// not https://; scheme mismatches cause silent blocking with minimal error messages 𝕏
ChatGPT's published mode enforces stricter CSP than dev mode and requires _meta.ui.domain; always test in production before shipping 𝕏

Published by

Open Source Beat

Community-driven. Code-first.

#MCP apps #api debugging #chatgpt widgets #content security policy #sandboxed iframes

Worth sharing?

Get the best Open Source stories of the week in your inbox — no noise, no spam.

Originally reported by Dev.to

⚡ Key Takeaways

The 60-Second TL;DR

Open Source Beat

Share this article

Worth sharing?

Related Stories

ckpt: Git's Secret Weapon for Taming Wild AI Coders

rs-trafilatura Supercharges Crawl4AI: 1.7% F1 Boost on Real-World Benchmarks

Token Refresh Stampedes Are Wrecking Apps Everywhere — 40 Lines to Stop the Madness

Rust's Dynamic Duo: rs-trafilatura Turbocharges spider-rs Crawls

Stay in the loop