[MCP-UI] add CSP for images to proxy HTML #5931
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes an image loading issue in the MCP-UI proxy by adding the img-src directive to the Content Security Policy (CSP). Without this directive, the CSP was falling back to the restrictive default-src 'self' policy, which prevented images from external origins from loading.
Key Changes
- Added
img-src *directive to the CSP meta tag to allow images from any origin - Updated the comment documentation to include the new img-src directive
zanesq
approved these changes
Dec 1, 2025
zanesq
pushed a commit
that referenced
this pull request
Dec 1, 2025
tlongwell-block
added a commit
that referenced
this pull request
Dec 1, 2025
* origin/main: Feat/automatic update installation (#5345) fix: Added "Merged consecutive assistant messages" to the acceptable issues for moim injection check (#5933) fix: anthropic provider model fetching (#5932) [MCP-UI] add CSP for images to proxy HTML (#5931) fix: correct typo in blog post (AIMDOEL -> AIMODEL) (#5902) feat: @goose in terminal (native terminal support) (#5887) docs: adding AI-friendly features (#5918) Blog/advent of ai announcement (#5917) Extension selector behind ALPHA flag (#5892)
zanesq
added a commit
that referenced
this pull request
Dec 1, 2025
* 'main' of github.com:block/goose: Feat: Added custom headers and toggle keyring CLI options (#5017) Feat/automatic update installation (#5345) fix: Added "Merged consecutive assistant messages" to the acceptable issues for moim injection check (#5933) fix: anthropic provider model fetching (#5932) [MCP-UI] add CSP for images to proxy HTML (#5931)
katzdave
added a commit
that referenced
this pull request
Dec 1, 2025
…nses-streaming * 'main' of github.com:block/goose: Feat/automatic update installation (#5345) fix: Added "Merged consecutive assistant messages" to the acceptable issues for moim injection check (#5933) fix: anthropic provider model fetching (#5932) [MCP-UI] add CSP for images to proxy HTML (#5931) fix: correct typo in blog post (AIMDOEL -> AIMODEL) (#5902) feat: @goose in terminal (native terminal support) (#5887) docs: adding AI-friendly features (#5918) Blog/advent of ai announcement (#5917) Extension selector behind ALPHA flag (#5892) blog: typo fixes (#5896) blog: fixing img url (#5895) blog: MCPs for Developers (#5884) docs: Extension Manager MCP (#5883) Update cleanup marker logic for Fedora users. (#5868) Improve AWS credential loading and configuration handling in BedrockProvider (#5699)
zanesq
added a commit
that referenced
this pull request
Dec 2, 2025
…0-5147 * 'main' of github.com:block/goose: (243 commits) chore: upgrade npm packages (#5951) feat: ActionRequired (#5897) feat(acp): support loading sessions in acp (#5942) docs: add videos to multi-model page (#5938) docs: promote planning guide (#5934) fix: use a lock to ensure only need to run tunnel just in case multiple go… (#5885) Feat: Added custom headers and toggle keyring CLI options (#5017) Feat/automatic update installation (#5345) fix: Added "Merged consecutive assistant messages" to the acceptable issues for moim injection check (#5933) fix: anthropic provider model fetching (#5932) [MCP-UI] add CSP for images to proxy HTML (#5931) fix: correct typo in blog post (AIMDOEL -> AIMODEL) (#5902) feat: @goose in terminal (native terminal support) (#5887) docs: adding AI-friendly features (#5918) Blog/advent of ai announcement (#5917) Extension selector behind ALPHA flag (#5892) blog: typo fixes (#5896) blog: fixing img url (#5895) blog: MCPs for Developers (#5884) docs: Extension Manager MCP (#5883) ... # Conflicts: # crates/goose-server/src/routes/config_management.rs # crates/goose/src/providers/mod.rs # ui/desktop/openapi.json # ui/desktop/src/api/sdk.gen.ts # ui/desktop/src/api/types.gen.ts # ui/desktop/src/components/ProgressiveMessageList.tsx
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes an issue in the MCP-UI proxy HTML document where image sources were unable to load.
Type of Change
Testing
Manual
Related Issues
Relates to #ISSUE_ID
Discussion: LINK (if any)
Screenshots/Demos (for UX changes)
Before: image of cheeseburger does not load (fork and knife icon expected for restaurants with no image)
After: image of cheeseburger does load (fork and knife icon expected for restaurants with no image)
