Skip to content

Skybridge App views not showing in conversation #891

Description

@fredericbarthelet

Following a change in ChatGPT in the way both Apps SDK and MCP App are prioritized, app-defined metadata for Content Security Policies (CSP) wasn't sourced properly anymore. Indeed, the domains declared in the app's MCP resource metadata, like the allowed resources domains, never make it into the CSP the host enforces. The iframe used to render the views blocked all request to download JSS and CSS required to render the app.

The root cause is a mismatch between which MCP resource ChatGPT now reads and which metadata key carries the CSP domains.

Skybridge apps have historically supported both Apps SDK and MCP Apps, each exposed through its own MCP resource:

  • Apps SDK resource (ui://views/apps-sdk/...html) — exposes Apps SDK metadata and lists allowed asset domains under openai/widgetCSP.resource_domains.
  • MCP App resource (ui://views/ext-apps/...html) — exposes MCP App metadata and lists allowed asset domains under ui.csp.resourceDomains.

Until now, ChatGPT preferentially sourced the Apps SDK resource (referenced via the tool's openai/outputTemplate metadata), even when the tool also advertised MCP App properties. Today we observed that ChatGPT switched to preferring the MCP App resource through the ui.resourceUri property. This behavior change wasn't implemented for new apps only, but also for apps already submitted to the store.

The regression appears to be that this switch reads the new resource but still looks for the old CSP metadata key. As a result, the asset domains declared on the MCP App resource (ui.csp.resourceDomains) are never applied to the iframe CSP, and the view's assets are blocked.

These metadata are cached at submission time on ChatGPT infrastructure.

The only way to re-render correctly the app was to trigger a cache invalidation on ChatGPT side through submitting a new version of the app.

Follow along the conversation on OpenAI community forum thread: https://community.openai.com/t/view-csps-not-sourced-anymore-for-apps-published-in-store/1385052

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions