Inspector Version
Describe the bug
The MCP Apps sandbox in server/static/sandbox_proxy.html rejects valid local/dev embedding origins because the referrer allowlist is hardcoded to loopback hostnames only:
/^http:\/\/(localhost|127\.0\.0\.1)(:|\/|$)/
This breaks legitimate local development setups where the Inspector UI is accessed through another trusted hostname, such as host.docker.internal or 0.0.0.0.
In those cases, opening an MCP App from the Apps tab fails before initialization with an error like:
Embedding domain not allowed in referrer http://host.docker.internal:6274/.
This seems unnecessary because the sandbox already performs a stricter exact-origin validation later for postMessage handling.
To Reproduce
Steps to reproduce the behavior:
- Start an MCP server that exposes an MCP App resource.
- Start @modelcontextprotocol/inspector locally.
- Access the Inspector UI from a valid local/dev hostname other than localhost, for example
http://host.docker.internal:6274.
- Connect to the MCP server and open the Apps tab.
- Click an MCP App.
- See the app fail to initialize because the sandbox rejects the embedding referrer.
Concrete example of this setup - we're automating integration testing of our MCP apps via Playwright running inside a docker container to ensure local visual snapshots are generated in a CI-like environment:
- MCP server runs on the host machine
- Inspector runs on the host at :6274
- Playwright runs inside Docker to automate MCP App testing and visual snapshots
- From inside the container, the host Inspector is accessed via http://host.docker.internal:6274
We've bypassed the issue with a patch for the moment:
diff --git a/server/build/static/sandbox_proxy.html b/server/build/static/sandbox_proxy.html
index da77f048816673e538dadfeee35a65bc35b805cb..2786e49515b57addbbc000e3f00220336454a5a9 100644
--- a/server/build/static/sandbox_proxy.html
+++ b/server/build/static/sandbox_proxy.html
@@ -48,7 +48,7 @@
}
const ALLOWED_REFERRER_PATTERN =
- /^http:\/\/(localhost|127\.0\.0\.1)(:|\/|$)/;
+ /^http:\/\/(localhost|127\.0\.0\.1|0\.0\.0\.0|host\.docker\.internal)(:|\/|$)/;
if (window.self === window.top) {
throw new Error("This file is only to be used in an iframe sandbox.");
Expected behavior
MCP Apps should render when the Inspector is accessed from valid local/dev origins beyond localhost, such as:
More generally (for v2?), the sandbox should support legitimate local/dev embedding origins without requiring downstream patching.
Environment (please complete the following information):
- OS: macOS host + Docker Desktop Linux container
- Browser: Playwright in Docker (Firefox/WebKit/Chromium), also reproducible in local browser setups that do not use localhost
Additional context
A few related issues seem adjacent but not identical:
This issue is specifically about the hardcoded referrer allowlist in the MCP Apps sandbox.
Some possible fixes from what I understand of the inspector architecture, from smallest to more flexible:
- Extend the built-in allowlist to include common local/dev hostnames such as
host.docker.internal,0.0.0.0, and possibly ::1 - good immediate bugfix?
- Make allowed embedding origins configurable - v2?
- Replace the hardcoded regex with a server-driven allowlist - v2?
Happy to help with a PR for *1) if this direction makes sense. Thanks!
Version Consideration
Inspector V2 is under development to address architectural and UX improvements. During this time, V1 contributions should focus on bug fixes and MCP spec compliance. See CONTRIBUTING.md for more details.
Inspector Version
0.21.2Describe the bug
The MCP Apps sandbox in
server/static/sandbox_proxy.htmlrejects valid local/dev embedding origins because the referrer allowlist is hardcoded to loopback hostnames only:/^http:\/\/(localhost|127\.0\.0\.1)(:|\/|$)/This breaks legitimate local development setups where the Inspector UI is accessed through another trusted hostname, such as host.docker.internal or 0.0.0.0.
In those cases, opening an MCP App from the Apps tab fails before initialization with an error like:
This seems unnecessary because the sandbox already performs a stricter exact-origin validation later for postMessage handling.
To Reproduce
Steps to reproduce the behavior:
http://host.docker.internal:6274.Concrete example of this setup - we're automating integration testing of our MCP apps via Playwright running inside a docker container to ensure local visual snapshots are generated in a CI-like environment:
We've bypassed the issue with a patch for the moment:
Expected behavior
MCP Apps should render when the Inspector is accessed from valid local/dev origins beyond localhost, such as:
More generally (for v2?), the sandbox should support legitimate local/dev embedding origins without requiring downstream patching.
Environment (please complete the following information):
Additional context
A few related issues seem adjacent but not identical:
This issue is specifically about the hardcoded referrer allowlist in the MCP Apps sandbox.
Some possible fixes from what I understand of the inspector architecture, from smallest to more flexible:
host.docker.internal,0.0.0.0, and possibly::1- good immediate bugfix?Happy to help with a PR for *1) if this direction makes sense. Thanks!
Version Consideration
Inspector V2 is under development to address architectural and UX improvements. During this time, V1 contributions should focus on bug fixes and MCP spec compliance. See CONTRIBUTING.md for more details.