Add linkTrustedDomains view property#690
Open
fredericbarthelet wants to merge 4 commits into
Open
Conversation
@modelcontextprotocol/ext-apps
@modelcontextprotocol/server-basic-preact
@modelcontextprotocol/server-basic-react
@modelcontextprotocol/server-basic-solid
@modelcontextprotocol/server-basic-svelte
@modelcontextprotocol/server-basic-vanillajs
@modelcontextprotocol/server-basic-vue
@modelcontextprotocol/server-budget-allocator
@modelcontextprotocol/server-cohort-heatmap
@modelcontextprotocol/server-customer-segmentation
@modelcontextprotocol/server-debug
@modelcontextprotocol/server-lazy-auth
@modelcontextprotocol/server-map
@modelcontextprotocol/server-pdf
@modelcontextprotocol/server-scenario-modeler
@modelcontextprotocol/server-shadertoy
@modelcontextprotocol/server-sheet-music
@modelcontextprotocol/server-system-monitor
@modelcontextprotocol/server-threejs
@modelcontextprotocol/server-transcript
@modelcontextprotocol/server-video-resource
@modelcontextprotocol/server-wiki-explorer
commit: |
c9bdb3d to
a3af1c7
Compare
b369e71 to
6b16ff5
Compare
6b16ff5 to
0d70095
Compare
Comment on lines
+240
to
+242
| * This is a UX hint, NOT an authorization mechanism. Hosts retain full | ||
| * authority, MUST still apply their own allowlist/blocklist, and SHOULD NOT | ||
| * treat a declared origin as proof that a destination is safe. |
Contributor
Author
There was a problem hiding this comment.
@domfarolino, you paid special attention in the corresponding issue on making sure hosts understand this feature is in no way a trust mechanism. Could you review this last part and confirm wether you deem this explanation sufficient to ensure nobody uses linkTrustedDomains as safe?
Contributor
Author
|
@idosal @liady ready for a first review following our last working group discussion :) Thanks 🙏 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #678
Motivation and Context
Provide an app controlled way to advertise in-view links that host MAY allow user to navigate to with minimal user friction (removing confirmation modal on redirection).
How Has This Been Tested?
In the basic host implementation
Breaking Changes
None, only added
linkTrustedDomainsas an optional propertyTypes of changes
Checklist
Additional context
Removed the
@types/nodesoverride from rootpackage.jsonin order to be able to up to@types/nodes@24in basic-host exemple and use the recentURLPatternclass to implement link URL testing against trusted domains.