Setting the document's base URI violates the following CSP directive: "base-uri 'self'"

Julien_Vallini · January 20, 2026, 5:42pm

When an MCP server exposes OpenAI CSP rules, the sandbox automatically adds a meta tag to its iframe containing all the rules. It also includes a base-uri ‘self’ directive whose value does not seem to be configurable at the moment.

This directive prevents the use of an HTML tag, which previously allowed the use of relative paths for assets such as images. When using Vite, for example, this makes necessary to rewrite all relative paths to full URLs by prefixing them with an origin during the build phase.

I understand this has been done for security reasons, but would it be possible to make it configurable in the resource meta object? It should not pose any security risk if the domain used as the base is declared in the server CSP configuration.

nico10 · January 25, 2026, 12:38pm

Was about to raise the same issue.

I’m about to submit my first app and currently not sure how to best handle it.

Julien_Vallini · January 25, 2026, 1:41pm

We implemented a temporary workaround in the skybridge framework, maybe you will find it useful. It works by rewriting all the relative urls as absolute to avoid having to rely on the tag.

Topic		Replies	Views
Trouble with CSP after publishing dev app ChatGPT Apps SDK chatgpt-app , apps-sdk , widget	3	131	January 22, 2026
Problem with local development ChatGPT Apps SDK	7	376	November 20, 2025
White-listing WebSocket endpoints in `openai/widgetCSP` ChatGPT Apps SDK apps-sdk	3	247	November 5, 2025
Apps SDK - "Check this link is safe" dialog ChatGPT Apps SDK apps-sdk	9	549	February 10, 2026
Widget CSP & Domain Warning ChatGPT Apps SDK	4	193	January 9, 2026

Setting the document's base URI violates the following CSP directive: "base-uri 'self'"

Related topics