diff --git a/docs/src/guide/client/using-a-proxy.md b/docs/src/guide/client/using-a-proxy.md
index 9b7332cb..5c800b06 100644
--- a/docs/src/guide/client/using-a-proxy.md
+++ b/docs/src/guide/client/using-a-proxy.md
@@ -1,11 +1,14 @@
-# Using a Proxy Script for External URLs
+# Using a Proxy Script for External URLs and Raw HTML
 
-When rendering external URLs (`text/uri-list`), you may need to use a "proxy" to comply with your host's restrictive Content Security Policy (CSP). The proxy domain must be whitelisted as a `frame-src`. The `proxy` prop on `<UIResourceRenderer>` allows you to specify a URL for a proxy script that will render the external content in a nested iframe.
+When rendering external URLs (`text/uri-list`) or raw HTML (`text/html`), you may need to use a "proxy" to comply with your host's restrictive Content Security Policy (CSP). The proxy domain must be whitelisted as a `frame-src`. The `proxy` prop on `<UIResourceRenderer>` allows you to specify a URL for a proxy script that will render the content in a nested iframe on a different origin.
 
-When `proxy` is set, the external URL is encoded and appended to the proxy URL. For example, if `proxy` is `https://my-proxy.com/`, the final URL will be `https://my-proxy.com/?url=<encoded_original_url>`.
+There are two proxy flows:
+
+- External URLs: the external URL is encoded and appended as `?url=<encoded_original_url>` to the proxy URL. For example: `https://my-proxy.com/?url=<encoded_original_url>`.
+- Raw HTML: the proxy is loaded with `?contentType=rawhtml`, and the HTML and inner iframe sandbox are delivered via `postMessage` after the proxy iframe signals it's ready.
 
 ::: tip Important
-The term "proxy" in this context does not refer to a real proxy server. It is a static, client-side script that nests the external URL content within an iframe. This process occurs locally in the user's browser. User data never reaches a remote server.
+The term "proxy" in this context does not refer to a real proxy server. It is a static, client-side script that nests the UI resource's iframe within a "proxy" iframe. This process occurs locally in the user's browser. User data never reaches a remote server.
 :::
 
 ## Using the Hosted Proxy
@@ -28,6 +31,28 @@ Please verify that the host whitelists `https://proxy.mcpui.dev` as a `frame-src
 
 You can find a complete example for a site with restrictive CSP that uses the hosted proxy at `examples/external-url-demo`.
 
+## Architecture
+
+```mermaid
+sequenceDiagram
+  participant Host as Host Page
+  participant Proxy as Proxy iframe
+  participant Inner as Inner iframe (UI widget)
+  Host->>Proxy: Load proxy (with "?url" or "?contentType=rawhtml")
+  alt External URL
+    Proxy->>Inner: Create with src = decoded url
+  else rawHtml
+    Proxy-->>Host: ui-proxy-iframe-ready message
+    Host->>Proxy: ui-html-content message ({ html, sandbox })
+    Proxy->>Inner: Create with sandbox
+    Proxy->>Inner: Set srcDoc to HTML
+  end
+  Inner-->>Proxy: Messages (e.g., UI actions)
+  Proxy-->>Host: Relay (Inner -> Host)
+  Host-->>Proxy: Message responses
+  Proxy-->>Inner: Relay (Host -> Inner)
+```
+
 ## Self-Hosting the Proxy Script
 
 If you prefer to host your own proxy script, you can create a simple HTML file with embedded JavaScript. This is a useful alternative to the hosted version when you want more control or a custom domain.
@@ -38,14 +63,17 @@ If you prefer to host your own proxy script, you can create a simple HTML file w
 
 A valid proxy script must:
 
-1.  **Accept a `url` query parameter**: The script should retrieve the target URL from the `url` query parameter in its own URL.
-2.  **Validate the URL**: It must validate that the provided URL is a valid `http:` or `https:` URL to prevent abuse.
-3.  **Render in an Iframe**: The script should dynamically create an iframe and set its `src` to the validated target URL.
-4.  **Sandbox the Iframe**: The iframe must be sandboxed to restrict its capabilities. A minimal sandbox policy would be `allow-scripts allow-same-origin`.
-5.  **Forward `postMessage` Events**: To allow communication between the host application and the embedded external URL, the proxy needs to forward `message` events between `window.parent` and the iframe's `contentWindow`. For security, it's critical to use a specific `targetOrigin` instead of `*` in `postMessage` calls whenever possible. The `targetOrigin` for messages to the iframe should be the external URL's origin; Messages to the parent will resort to `*`.
+1.  **External URLs (`url` query parameter)**: Retrieve `url` from the query string, validate it as `http:`/`https:`, and render it in a nested iframe.
+2.  **Raw HTML (`contentType=rawhtml`)**: When `contentType=rawhtml` is present, the proxy must:
+    - Create a nested iframe and emit a ready signal (`ui-proxy-iframe-ready`) to `window.parent`.
+    - Receive a single `postMessage` with `{ html: string, sandbox?: string }` (message type e.g. `ui-html-content`).
+    - Apply `sandbox` to the inner iframe, then set the inner iframe `srcdoc` to the provided HTML.
+3.  **Sandbox the Iframe**: The nested iframe must be sandboxed to restrict capabilities. For external URLs a minimal policy is `allow-scripts allow-same-origin`; for raw HTML a minimal policy is `allow-scripts` unless you explicitly need additional capabilities.
+4.  **Forward `postMessage` Events**: To allow communication between the host application and the embedded external URL, the proxy needs to forward `message` events between `window.parent` and the iframe's `contentWindow`. For security, it's critical to use a specific `targetOrigin` instead of `*` in `postMessage` calls whenever possible. The `targetOrigin` for messages to the iframe should be the external URL's origin; Messages to the parent will default to `*`.
+5.  **Permissive Proxy CSP**: Serve the proxy page with a permissive CSP that does not block nested iframe content (e.g., allowing scripts, styles, images) since the host CSP is intentionally not applied on the proxy origin.
 
 ### Example Self-Hosted Proxy
 
-Here is an example of a self-hosted proxy script that meets these requirements. You can find this file in `sdks/typescript/client/scripts/proxy/index.html`.
+Here is an example of a self-hosted proxy script that meets these requirements (supports both `url` for external URLs and `contentType=rawhtml` + `postMessage` for raw HTML). You can find this file in `sdks/typescript/client/scripts/proxy/index.html`.
 
 <<< @/../../sdks/typescript/client/scripts/proxy/index.html 
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 457387d1..9ea58da5 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -404,6 +404,9 @@ importers:
       '@testing-library/react':
         specifier: ^14.0.0
         version: 14.3.1(@types/react@18.3.23)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
+      '@types/jsdom':
+        specifier: ^27.0.0
+        version: 27.0.0
       '@types/react':
         specifier: ^18.2.0
         version: 18.3.23
@@ -3003,6 +3006,9 @@ packages:
   '@types/jest@29.5.14':
     resolution: {integrity: sha512-ZN+4sdnLUbo8EVvVc2ao0GFW6oVrQRPn4K2lglySj7APvSrgzxHiNNK99us4WDMi57xxA2yggblIAMNhXOotLQ==}
 
+  '@types/jsdom@27.0.0':
+    resolution: {integrity: sha512-NZyFl/PViwKzdEkQg96gtnB8wm+1ljhdDay9ahn4hgb+SfVtPCbm3TlmDUFXTA+MGN3CijicnMhG18SI5H3rFw==}
+
   '@types/json-schema@7.0.15':
     resolution: {integrity: sha512-5+fP8P8MFNC+AyZCDxrB2pkZFPGzqQWUzpSeuuVLvm8VMcorNYavBqoFcxK8bQz4Qsbn4oUEEem4wDLfcysGHA==}
 
@@ -3077,6 +3083,9 @@ packages:
   '@types/stack-utils@2.0.3':
     resolution: {integrity: sha512-9aEbYZ3TbYMznPdcdr3SmIrLXwC/AKZXQeCf9Pgao5CKb8CyHuEX5jzWPTkvregvhRJHcpRO6BFoGW9ycaOkYw==}
 
+  '@types/tough-cookie@4.0.5':
+    resolution: {integrity: sha512-/Ad8+nIOV7Rl++6f1BdKxFSMgmoqEoYbHRpPcx3JEfv8VRsQe9Z4mCXeJBzxs7mbHY/XOZZuXlRNfhpVPbs6ZA==}
+
   '@types/trusted-types@2.0.7':
     resolution: {integrity: sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==}
 
@@ -10934,6 +10943,12 @@ snapshots:
       expect: 29.7.0
       pretty-format: 29.7.0
 
+  '@types/jsdom@27.0.0':
+    dependencies:
+      '@types/node': 20.19.1
+      '@types/tough-cookie': 4.0.5
+      parse5: 7.3.0
+
   '@types/json-schema@7.0.15': {}
 
   '@types/leaflet@1.9.19':
@@ -11018,6 +11033,8 @@ snapshots:
 
   '@types/stack-utils@2.0.3': {}
 
+  '@types/tough-cookie@4.0.5': {}
+
   '@types/trusted-types@2.0.7':
     optional: true
 
diff --git a/sdks/typescript/client/package.json b/sdks/typescript/client/package.json
index b1bcf0e2..036cc651 100644
--- a/sdks/typescript/client/package.json
+++ b/sdks/typescript/client/package.json
@@ -28,6 +28,7 @@
   "devDependencies": {
     "@testing-library/jest-dom": "^6.0.0",
     "@testing-library/react": "^14.0.0",
+    "@types/jsdom": "^27.0.0",
     "@types/react": "^18.2.0",
     "@vitejs/plugin-react": "^4.0.0",
     "esbuild": "^0.25.5",
diff --git a/sdks/typescript/client/scripts/proxy/index.html b/sdks/typescript/client/scripts/proxy/index.html
index 5460628d..67263db8 100644
--- a/sdks/typescript/client/scripts/proxy/index.html
+++ b/sdks/typescript/client/scripts/proxy/index.html
@@ -2,6 +2,8 @@
 <html>
   <head>
     <meta charset="utf-8" />
+    <!-- Permissive CSP so nested content is not constrained by host CSP -->
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'wasm-unsafe-eval' 'unsafe-inline' 'unsafe-eval' blob: https://cdn.tailwindcss.com https://cdn.jsdelivr.net https://unpkg.com; style-src * 'unsafe-inline'; connect-src *; frame-src 'none'; base-uri 'self'; upgrade-insecure-requests;" />
     <title>MCP-UI Proxy</title>
     <style>
       html,
@@ -28,7 +30,9 @@
   </head>
   <body>
     <script>
-      const target = new URLSearchParams(location.search).get('url');
+      const params = new URLSearchParams(location.search);
+      const contentType = params.get('contentType');
+      const target = params.get('url');
 
       // Validate that the URL is a valid HTTP or HTTPS URL
       function isValidHttpUrl(string) {
@@ -40,27 +44,58 @@
         }
       }
 
-      if (!target) {
-        document.body.textContent = 'Error: missing url parameter';
-      } else if (!isValidHttpUrl(target)) {
-        document.body.textContent = 'Error: invalid URL. Only HTTP and HTTPS URLs are allowed.';
-      } else {
+      if (contentType === 'rawhtml') {
+        // Double-iframe raw HTML mode (HTML sent via postMessage)
         const inner = document.createElement('iframe');
-        inner.src = target;
         inner.style = 'width:100%; height:100%; border:none;';
-        inner.sandbox = 'allow-same-origin allow-scripts';
+        // sandbox will be set from postMessage payload; default minimal before html arrives
+        inner.setAttribute('sandbox', 'allow-scripts');
         document.body.appendChild(inner);
-        const urlOrigin = new URL(target).origin;
 
+        // Wait for HTML content from parent
         window.addEventListener('message', (event) => {
-          if (event.source === window.parent) {
-            // listen for messages from the parent and send them to the iframe
-            inner.contentWindow.postMessage(event.data, urlOrigin);
+          if (event.source === window.parent && event.data && event.data.type === 'ui-html-content') {
+            const payload = event.data.payload || {};
+            const html = payload.html;
+            const sandbox = payload.sandbox;
+            if (typeof sandbox === 'string') {
+              inner.setAttribute('sandbox', sandbox);
+            }
+            if (typeof html === 'string') {
+              inner.srcdoc = html;
+            }
           } else if (event.source === inner.contentWindow) {
-            // listen for messages from the iframe and send them to the parent
+            // Relay messages from inner to parent
             window.parent.postMessage(event.data, '*');
           }
         });
+
+        // Notify parent that proxy is ready to receive HTML (distinct event)
+        window.parent.postMessage({ type: 'ui-proxy-iframe-ready' }, '*');
+      } else if (target) {
+        if (!isValidHttpUrl(target)) {
+          document.body.textContent = 'Error: invalid URL. Only HTTP and HTTPS URLs are allowed.';
+        } else {
+          const inner = document.createElement('iframe');
+          inner.src = target;
+          inner.style = 'width:100%; height:100%; border:none;';
+          // Default external URL sandbox; can be adjusted later by protocol if needed
+          inner.setAttribute('sandbox', 'allow-same-origin allow-scripts');
+          document.body.appendChild(inner);
+          const urlOrigin = new URL(target).origin;
+
+          window.addEventListener('message', (event) => {
+            if (event.source === window.parent) {
+              // listen for messages from the parent and send them to the iframe
+              inner.contentWindow.postMessage(event.data, urlOrigin);
+            } else if (event.source === inner.contentWindow) {
+              // listen for messages from the iframe and send them to the parent
+              window.parent.postMessage(event.data, '*');
+            }
+          });
+        }
+      } else {
+        document.body.textContent = 'Error: missing url or html parameter';
       }
     </script>
   </body>
diff --git a/sdks/typescript/client/src/components/HTMLResourceRenderer.tsx b/sdks/typescript/client/src/components/HTMLResourceRenderer.tsx
index 95fa246d..eef08fc3 100644
--- a/sdks/typescript/client/src/components/HTMLResourceRenderer.tsx
+++ b/sdks/typescript/client/src/components/HTMLResourceRenderer.tsx
@@ -26,6 +26,11 @@ export const InternalMessageType = {
   UI_LIFECYCLE_IFRAME_READY: 'ui-lifecycle-iframe-ready',
   UI_LIFECYCLE_IFRAME_RENDER_DATA: 'ui-lifecycle-iframe-render-data',
   UI_REQUEST_RENDER_DATA: 'ui-request-render-data',
+  
+  // Proxy-only lifecycle for outer iframe (distinct from widget readiness)
+  UI_PROXY_IFRAME_READY: 'ui-proxy-iframe-ready',
+  // Content transport for raw HTML when using proxy
+  UI_HTML_CONTENT: 'ui-html-content',
 } as const;
 
 export const ReservedUrlParams = {
@@ -88,27 +93,61 @@ export const HTMLResourceRenderer = ({
           },
         );
       }
+
       iframeProps?.onLoad?.(event);
     },
     [initialRenderData, iframeSrcToRender, iframeProps?.onLoad],
   );
 
+  const sandbox = useMemo(() => {
+    if (iframeRenderMode === 'srcDoc') {
+      // with raw HTML we don't set allow-same-origin for security reasons
+      return mergeSandboxPermissions(sandboxPermissions ?? '', 'allow-scripts');
+    }
+    return mergeSandboxPermissions(sandboxPermissions ?? '', 'allow-scripts allow-same-origin');
+  }, [sandboxPermissions, iframeRenderMode]);
+
   useEffect(() => {
     async function handleMessage(event: MessageEvent) {
       const { source, origin, data } = event;
       // Only process the message if it came from this specific iframe
       if (iframeRef.current && source === iframeRef.current.contentWindow) {
-        // if the iframe is ready, send the render data to the iframe
-        if (data?.type === InternalMessageType.UI_LIFECYCLE_IFRAME_READY && initialRenderData) {
-          postToFrame(
-            InternalMessageType.UI_LIFECYCLE_IFRAME_RENDER_DATA,
-            source,
-            origin,
-            undefined,
-            {
-              renderData: initialRenderData,
-            },
-          );
+        // if the proxy iframe is ready, send the HTML content
+        if (data?.type === InternalMessageType.UI_PROXY_IFRAME_READY) {
+          // Send HTML content if in rawhtml proxy mode
+          if (
+            iframeRenderMode === 'src' &&
+            htmlString &&
+            iframeSrcToRender?.includes('contentType=rawhtml')
+          ) {
+            postToFrame(
+              InternalMessageType.UI_HTML_CONTENT,
+              source,
+              origin,
+              undefined,
+              {
+                html: htmlString,
+                sandbox,
+              },
+            );
+          }
+          return;
+        }
+
+        // if the widget iframe is ready, send the render data
+        if (data?.type === InternalMessageType.UI_LIFECYCLE_IFRAME_READY) {
+          // Send render data if present
+          if (initialRenderData) {
+            postToFrame(
+              InternalMessageType.UI_LIFECYCLE_IFRAME_RENDER_DATA,
+              source,
+              origin,
+              undefined,
+              {
+                renderData: initialRenderData,
+              },
+            );
+          }
           return;
         }
 
@@ -170,17 +209,11 @@ export const HTMLResourceRenderer = ({
     }
     window.addEventListener('message', handleMessage);
     return () => window.removeEventListener('message', handleMessage);
-  }, [onUIAction]);
+  }, [onUIAction, initialRenderData, iframeRenderMode, htmlString, iframeSrcToRender, sandbox]);
 
   if (error) return <p className="text-red-500">{error}</p>;
 
-  const sandbox = useMemo(() => {
-    if (iframeRenderMode === 'srcDoc') {
-      // with raw HTML we don't set allow-same-origin for security reasons
-      return mergeSandboxPermissions(sandboxPermissions ?? '', 'allow-scripts');
-    }
-    return mergeSandboxPermissions(sandboxPermissions ?? '', 'allow-scripts allow-same-origin');
-  }, [sandboxPermissions, iframeRenderMode]);
+
 
   if (iframeRenderMode === 'srcDoc') {
     if (htmlString === null || htmlString === undefined) {
diff --git a/sdks/typescript/client/src/components/UIResourceRenderer.tsx b/sdks/typescript/client/src/components/UIResourceRenderer.tsx
index 34b06ab0..c92549ce 100644
--- a/sdks/typescript/client/src/components/UIResourceRenderer.tsx
+++ b/sdks/typescript/client/src/components/UIResourceRenderer.tsx
@@ -39,13 +39,7 @@ export const UIResourceRenderer = (props: UIResourceRendererProps) => {
   }
 
   switch (contentType) {
-    case 'rawHtml': {
-      // eslint-disable-next-line @typescript-eslint/no-unused-vars
-      const { proxy, ...otherHtmlProps } = htmlProps || {};
-      return (
-        <HTMLResourceRenderer resource={resource} onUIAction={onUIAction} {...otherHtmlProps} />
-      );
-    }
+    case 'rawHtml':
     case 'externalUrl': {
       return <HTMLResourceRenderer resource={resource} onUIAction={onUIAction} {...htmlProps} />;
     }
diff --git a/sdks/typescript/client/src/components/__tests__/ProxyScript.test.ts b/sdks/typescript/client/src/components/__tests__/ProxyScript.test.ts
new file mode 100644
index 00000000..547f2e1b
--- /dev/null
+++ b/sdks/typescript/client/src/components/__tests__/ProxyScript.test.ts
@@ -0,0 +1,73 @@
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import path from 'node:path';
+import { JSDOM } from 'jsdom';
+import '@testing-library/jest-dom';
+
+function nextTick(): Promise<void> {
+  return new Promise((resolve) => setTimeout(resolve, 0));
+}
+
+describe('Proxy script', () => {
+  it('should apply sandbox and inject srcdoc when receiving html via postMessage', async () => {
+    const proxyPath = path.resolve(__dirname, '../../../scripts/proxy/index.html');
+    const proxyHtml = readFileSync(proxyPath, 'utf8');
+
+    // Create jsdom with proxy URL using contentType=rawhtml
+    const dom = new JSDOM(proxyHtml, {
+      url: 'http://proxy.local/?contentType=rawhtml',
+      runScripts: 'dangerously',
+      resources: 'usable',
+      pretendToBeVisual: true,
+    });
+
+    const { window } = dom;
+
+    // Capture the ready signal emitted by the proxy
+    let proxyReady = false;
+    window.addEventListener('message', (event: MessageEvent) => {
+      const data = event.data as { type?: string };
+      if (data?.type === 'ui-proxy-iframe-ready') {
+        proxyReady = true;
+      }
+    });
+
+    // Allow the inline script to run and emit readiness
+    await nextTick();
+    expect(proxyReady).toBe(true);
+
+    // Find the outer iframe container (created after readiness listener install)
+    const outerDoc = window.document;
+    const outerIframe = outerDoc.querySelector('iframe');
+    expect(outerIframe).toBeTruthy();
+
+    // Send the html + sandbox payload
+    const html = '<!doctype html><html><body><form><input></form></body></html>';
+    const sandbox = 'allow-forms allow-scripts';
+    // Simulate parent -> proxy message ensuring source === window.parent
+    const MsgEvent: typeof MessageEvent = window.MessageEvent;
+    window.dispatchEvent(
+      new MsgEvent('message', {
+        data: { type: 'ui-html-content', payload: { html, sandbox } },
+        source: window.parent,
+      }),
+    );
+
+    // Let the proxy handle the message and construct the inner iframe
+    await nextTick();
+    await nextTick();
+
+    // Assert inner iframe present and configured
+    const innerIframe = outerDoc.querySelector('iframe');
+    expect(innerIframe).toBeTruthy();
+    // In this simple structure, the same reference is inner (since appended to body),
+    // but we still assert sandbox and srcdoc were applied
+    const sandboxAttr = innerIframe?.getAttribute('sandbox') || '';
+    expect(sandboxAttr.includes('allow-forms')).toBe(true);
+    expect(sandboxAttr.includes('allow-scripts')).toBe(true);
+
+    // jsdom exposes srcdoc as attribute
+    const srcdocAttr = innerIframe?.getAttribute('srcdoc') || '';
+    expect(srcdocAttr.includes('<form>')).toBe(true);
+  });
+});
diff --git a/sdks/typescript/client/src/components/__tests__/UIResourceRenderer.test.tsx b/sdks/typescript/client/src/components/__tests__/UIResourceRenderer.test.tsx
index ed96f63f..248535ad 100644
--- a/sdks/typescript/client/src/components/__tests__/UIResourceRenderer.test.tsx
+++ b/sdks/typescript/client/src/components/__tests__/UIResourceRenderer.test.tsx
@@ -90,12 +90,15 @@ describe('<UIResourceRenderer />', () => {
     );
   });
 
-  it('should not pass proxy prop to HTMLResourceRenderer for HTML content', () => {
+  it('should pass proxy prop to HTMLResourceRenderer for raw HTML', () => {
     const resource = { ...baseResource, mimeType: 'text/html' };
     render(
       <UIResourceRenderer resource={resource} htmlProps={{ proxy: 'https://proxy.mcpui.dev/' }} />,
     );
     expect(screen.getByTestId('html-resource')).toBeInTheDocument();
-    expect(HTMLResourceRenderer).toHaveBeenCalledWith({ resource }, {});
+    expect(HTMLResourceRenderer).toHaveBeenCalledWith(
+      { resource, proxy: 'https://proxy.mcpui.dev/' },
+      {},
+    );
   });
 });
diff --git a/sdks/typescript/client/src/components/__tests__/UIResourceRenderer.unmocked.test.tsx b/sdks/typescript/client/src/components/__tests__/UIResourceRenderer.unmocked.test.tsx
index 785cc97c..7484d29c 100644
--- a/sdks/typescript/client/src/components/__tests__/UIResourceRenderer.unmocked.test.tsx
+++ b/sdks/typescript/client/src/components/__tests__/UIResourceRenderer.unmocked.test.tsx
@@ -68,6 +68,60 @@ describe('UIResourceRenderer', () => {
     expect(ref.current?.style.width).toBe('200px');
     expect(ref.current?.style.height).toBe('100px');
   });
+
+  describe('Proxy', () => {
+    function nextTick(): Promise<void> {
+      return new Promise((resolve) => setTimeout(resolve, 0));
+    }
+
+    it('should render proxy iframe and send data when proxy iframe is ready', async () => {
+      const ref = React.createRef<HTMLIFrameElement>();
+      const proxy = 'https://proxy.example/';
+      const resource: Partial<Resource> = {
+        mimeType: 'text/html',
+        text: '<!doctype html><html><body><form><input></form></body></html>',
+      };
+
+      render(
+        <UIResourceRenderer
+          resource={resource}
+          htmlProps={{ proxy, sandboxPermissions: 'allow-forms', iframeProps: { ref } }}
+        />,
+      );
+
+      expect(ref.current).toBeInTheDocument();
+      // Outer iframe should target the proxy with contentType=rawhtml
+      expect(ref.current?.src).toContain('contentType=rawhtml');
+
+      // Stub and simulate proxy ready
+      const postMessageMock = vi.fn();
+      Object.defineProperty(ref.current as HTMLIFrameElement, 'contentWindow', {
+        value: { postMessage: postMessageMock },
+        writable: false,
+      });
+
+      const MsgEvent: typeof MessageEvent = window.MessageEvent;
+      window.dispatchEvent(
+        new MsgEvent('message', {
+          data: { type: 'ui-proxy-iframe-ready' },
+          source: (ref.current as HTMLIFrameElement).contentWindow as Window,
+          origin: 'https://proxy.example',
+        }),
+      );
+
+      await nextTick();
+
+      const calls = postMessageMock.mock.calls;
+      expect(calls.length).toBeGreaterThan(0);
+      const [sentMessage, targetOrigin] = calls[0];
+      expect(targetOrigin).toBe('https://proxy.example');
+      expect(sentMessage?.type).toBe('ui-html-content');
+      expect(sentMessage?.payload?.html).toContain('<form>');
+      const payloadSandbox: string = sentMessage?.payload?.sandbox || '';
+      expect(payloadSandbox.includes('allow-scripts')).toBe(true);
+      expect(payloadSandbox.includes('allow-forms')).toBe(true);
+    });
+  });
 });
 
 const dispatchMessage = (source: Window | null, data: Record<string, unknown> | null) => {
diff --git a/sdks/typescript/client/src/utils/__tests__/processResource.test.ts b/sdks/typescript/client/src/utils/__tests__/processResource.test.ts
index b92815dd..ee00b387 100644
--- a/sdks/typescript/client/src/utils/__tests__/processResource.test.ts
+++ b/sdks/typescript/client/src/utils/__tests__/processResource.test.ts
@@ -241,6 +241,73 @@ describe('processHTMLResource', () => {
         expect(result.iframeSrc).toBe('https://example.com');
         expect(result.iframeRenderMode).toBe('src');
       });
+
+      it('should use proxy when provided for rawHtml (text/html)', () => {
+        const html = '<h1>Test HTML</h1>';
+        const resource = {
+          mimeType: 'text/html' as const,
+          text: html,
+        };
+        const result = processHTMLResource(resource, 'https://proxy.mcpui.dev/');
+        expect(result.error).toBeUndefined();
+        expect(result.iframeRenderMode).toBe('src');
+        expect(result.iframeSrc).toBe('https://proxy.mcpui.dev/?contentType=rawhtml');
+        // HTML should be preserved to send via postMessage
+        expect(result.htmlString).toBe(html);
+      });
+
+      it('should use proxy for rawHtml from blob content', () => {
+        const html = '<p>Blob HTML</p>';
+        const resource = {
+          mimeType: 'text/html' as const,
+          blob: btoa(html),
+        };
+        const result = processHTMLResource(resource, 'https://proxy.mcpui.dev/');
+        expect(result.error).toBeUndefined();
+        expect(result.iframeRenderMode).toBe('src');
+        expect(result.iframeSrc).toBe('https://proxy.mcpui.dev/?contentType=rawhtml');
+        // HTML should be preserved to send via postMessage
+        expect(result.htmlString).toBe(html);
+      });
+
+      it('should fallback to srcDoc for rawHtml if proxy is invalid', () => {
+        const html = '<h1>Test HTML</h1>';
+        const resource = {
+          mimeType: 'text/html' as const,
+          text: html,
+        };
+        const result = processHTMLResource(resource, 'not-a-valid-url');
+        expect(result.error).toBeUndefined();
+        expect(result.iframeRenderMode).toBe('srcDoc');
+        expect(result.htmlString).toBe(html);
+        expect(result.iframeSrc).toBeUndefined();
+      });
+
+      it('should not use proxy for rawHtml when proxy is empty string', () => {
+        const html = '<h1>Test HTML</h1>';
+        const resource = {
+          mimeType: 'text/html' as const,
+          text: html,
+        };
+        const result = processHTMLResource(resource, '');
+        expect(result.error).toBeUndefined();
+        expect(result.iframeRenderMode).toBe('srcDoc');
+        expect(result.htmlString).toBe(html);
+        expect(result.iframeSrc).toBeUndefined();
+      });
+
+      it('should not use proxy for rawHtml when proxy is not provided', () => {
+        const html = '<h1>Test HTML</h1>';
+        const resource = {
+          mimeType: 'text/html' as const,
+          text: html,
+        };
+        const result = processHTMLResource(resource);
+        expect(result.error).toBeUndefined();
+        expect(result.iframeRenderMode).toBe('srcDoc');
+        expect(result.htmlString).toBe(html);
+        expect(result.iframeSrc).toBeUndefined();
+      });
     });
   });
 
diff --git a/sdks/typescript/client/src/utils/processResource.ts b/sdks/typescript/client/src/utils/processResource.ts
index 7fba442b..fa2b9c37 100644
--- a/sdks/typescript/client/src/utils/processResource.ts
+++ b/sdks/typescript/client/src/utils/processResource.ts
@@ -111,20 +111,15 @@ export function processHTMLResource(
     };
   } else if (resource.mimeType === 'text/html') {
     // Handle HTML content
+    let htmlContent = '';
+    
     if (typeof resource.text === 'string') {
-      return {
-        htmlString: resource.text,
-        iframeRenderMode: 'srcDoc',
-      };
+      htmlContent = resource.text;
     } else if (typeof resource.blob === 'string') {
       try {
-        const decodedHtml = new TextDecoder().decode(
+        htmlContent = new TextDecoder().decode(
           Uint8Array.from(atob(resource.blob), (c) => c.charCodeAt(0)),
         );
-        return {
-          htmlString: decodedHtml,
-          iframeRenderMode: 'srcDoc',
-        };
       } catch (e) {
         console.error('Error decoding base64 blob for HTML content:', e);
         return {
@@ -136,6 +131,35 @@ export function processHTMLResource(
         error: 'HTML resource requires text or blob content.',
       };
     }
+
+    if (proxy && proxy.trim() !== '') {
+      try {
+        const proxyUrl = new URL(proxy);
+        // The proxy host MUST NOT be the host URL, or the proxy can escape the sandbox
+        if (typeof window !== 'undefined' && proxyUrl.host === window.location.host) {
+          console.error(
+            'For security, the proxy origin must not be the same as the host origin. Using srcDoc rendering instead.',
+          );
+        } else {
+          proxyUrl.searchParams.set('contentType', 'rawhtml');
+          return {
+            iframeSrc: proxyUrl.toString(),
+            iframeRenderMode: 'src',
+            htmlString: htmlContent, // Pass HTML so it can be sent to the proxy via postMessage
+          };
+        }
+      } catch (e: unknown) {
+        console.error(
+          `Invalid proxy URL provided: "${proxy}". Falling back to srcDoc rendering.`,
+          e instanceof Error ? e.message : String(e),
+        );
+      }
+    }
+
+    return {
+      htmlString: htmlContent,
+      iframeRenderMode: 'srcDoc',
+    };
   } else {
     return {
       error: 'Unsupported mimeType. Expected text/html or text/uri-list.',
diff --git a/sdks/typescript/server/src/index.ts b/sdks/typescript/server/src/index.ts
index ab3b215e..714c5f0f 100644
--- a/sdks/typescript/server/src/index.ts
+++ b/sdks/typescript/server/src/index.ts
@@ -136,6 +136,8 @@ export const InternalMessageType = {
 
   UI_LIFECYCLE_IFRAME_READY: 'ui-lifecycle-iframe-ready',
   UI_LIFECYCLE_IFRAME_RENDER_DATA: 'ui-lifecycle-iframe-render-data',
+  
+  UI_RAWHTML_CONTENT: 'ui-html-content',
 };
 
 export const ReservedUrlParams = {