Skip to content

Add linkTrustedDomains view property#690

Open
fredericbarthelet wants to merge 4 commits into
modelcontextprotocol:mainfrom
alpic-ai:link-trusted-domains
Open

Add linkTrustedDomains view property#690
fredericbarthelet wants to merge 4 commits into
modelcontextprotocol:mainfrom
alpic-ai:link-trusted-domains

Conversation

@fredericbarthelet

@fredericbarthelet fredericbarthelet commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Fixes #678

Motivation and Context

Provide an app controlled way to advertise in-view links that host MAY allow user to navigate to with minimal user friction (removing confirmation modal on redirection).

How Has This Been Tested?

In the basic host implementation

Breaking Changes

None, only added linkTrustedDomains as an optional property

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

Removed the @types/nodes override from root package.json in order to be able to up to @types/nodes@24 in basic-host exemple and use the recent URLPattern class to implement link URL testing against trusted domains.

@pkg-pr-new

pkg-pr-new Bot commented Jun 17, 2026

Copy link
Copy Markdown

Open in StackBlitz

@modelcontextprotocol/ext-apps

npm i https://pkg.pr.new/@modelcontextprotocol/ext-apps@690

@modelcontextprotocol/server-basic-preact

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-preact@690

@modelcontextprotocol/server-basic-react

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-react@690

@modelcontextprotocol/server-basic-solid

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-solid@690

@modelcontextprotocol/server-basic-svelte

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-svelte@690

@modelcontextprotocol/server-basic-vanillajs

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-vanillajs@690

@modelcontextprotocol/server-basic-vue

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-vue@690

@modelcontextprotocol/server-budget-allocator

npm i https://pkg.pr.new/@modelcontextprotocol/server-budget-allocator@690

@modelcontextprotocol/server-cohort-heatmap

npm i https://pkg.pr.new/@modelcontextprotocol/server-cohort-heatmap@690

@modelcontextprotocol/server-customer-segmentation

npm i https://pkg.pr.new/@modelcontextprotocol/server-customer-segmentation@690

@modelcontextprotocol/server-debug

npm i https://pkg.pr.new/@modelcontextprotocol/server-debug@690

@modelcontextprotocol/server-lazy-auth

npm i https://pkg.pr.new/@modelcontextprotocol/server-lazy-auth@690

@modelcontextprotocol/server-map

npm i https://pkg.pr.new/@modelcontextprotocol/server-map@690

@modelcontextprotocol/server-pdf

npm i https://pkg.pr.new/@modelcontextprotocol/server-pdf@690

@modelcontextprotocol/server-scenario-modeler

npm i https://pkg.pr.new/@modelcontextprotocol/server-scenario-modeler@690

@modelcontextprotocol/server-shadertoy

npm i https://pkg.pr.new/@modelcontextprotocol/server-shadertoy@690

@modelcontextprotocol/server-sheet-music

npm i https://pkg.pr.new/@modelcontextprotocol/server-sheet-music@690

@modelcontextprotocol/server-system-monitor

npm i https://pkg.pr.new/@modelcontextprotocol/server-system-monitor@690

@modelcontextprotocol/server-threejs

npm i https://pkg.pr.new/@modelcontextprotocol/server-threejs@690

@modelcontextprotocol/server-transcript

npm i https://pkg.pr.new/@modelcontextprotocol/server-transcript@690

@modelcontextprotocol/server-video-resource

npm i https://pkg.pr.new/@modelcontextprotocol/server-video-resource@690

@modelcontextprotocol/server-wiki-explorer

npm i https://pkg.pr.new/@modelcontextprotocol/server-wiki-explorer@690

commit: 864354c

@fredericbarthelet fredericbarthelet marked this pull request as ready for review July 1, 2026 14:15
Comment on lines +240 to +242
* This is a UX hint, NOT an authorization mechanism. Hosts retain full
* authority, MUST still apply their own allowlist/blocklist, and SHOULD NOT
* treat a declared origin as proof that a destination is safe.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@domfarolino, you paid special attention in the corresponding issue on making sure hosts understand this feature is in no way a trust mechanism. Could you review this last part and confirm wether you deem this explanation sufficient to ensure nobody uses linkTrustedDomains as safe?

@fredericbarthelet

Copy link
Copy Markdown
Contributor Author

@idosal @liady ready for a first review following our last working group discussion :)
@mstoiber-oai since you opened the issue initially, your review would be well appreciated too.

Thanks 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support configuring approved redirect domains for ui/open-link

1 participant