Trouble with CSP after publishing dev app

rlittl · January 21, 2026, 6:39pm

In developer mode, I’m able to add mcp servers and widgets quite easily and they are able to load their UIs. However, when I publish the app to my workspace (so other people at my company who don’t have developer mode can help test it out) I get the following error after the UI flashes for a second and disappears with the following error in console:
main-DysC7zh_.js:5 Loading the script ‘https://<MY_DOMAIN>/widgets/<MY_PAGE>.js’ violates the following Content Security Policy directive: “script-src ‘self’ ‘wasm-unsafe-eval’ ‘unsafe-inline’ ‘unsafe-eval’ blob: tailwind dot com cdn dot jsdelivr dot net unpkg dot com https://*.oaiusercontent.com threejs dot org”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback. The action has been blocked.

main-DysC7zh_.js:5 Loading the script ‘https://<MY_DOMAIN>/widgets/<MY_PAGE>.css’ violates the following Content Security Policy directive: “script-src ‘self’ ‘wasm-unsafe-eval’ ‘unsafe-inline’ ‘unsafe-eval’ blob: tailwind dot com cdn dot jsdelivr dot net unpkg dot com https://*.oaiusercontent.com threejs dot org”. The action has been blocked.

Have been trying to work through this but unable to get it to go away, has anyone else encountered this issue?

sps · January 21, 2026, 6:48pm

Hi @rlittl

Are you declaring the domains your widget will load resources from via _meta["openai/widgetCSP"]?

The docs explicitly call out that this is required before broad distribution , and that the sandbox blocks everything else.

rlittl · January 21, 2026, 7:51pm

I’ve registered the widget as follows:

  @mcp.resource(
      "ui://widgets/<title>.html",
      mime_type="text/html+skybridge",
      meta={
          ...
          "openai/widgetCSP": {
              "connect_domains": ["<domain>"],
              "resource_domains": ["<domain>"],
          },
      },
  )

I believe I may be running into a similar issue as this thread (I’m using fastMCP):

https:// community.openai. com/t/issue-fastmcp-resources-cannot-return-meta-in-read-responses-but-openai-client-expects-it/1368892

rlittl · January 22, 2026, 3:15pm

@sps Any guidance here? Would really appreciate any knowledge you have in this area

Topic		Replies	Views
Assets blocked when using a ChatGPT app published through organization vs developer mode ChatGPT Apps SDK developer-mode	2	156	December 8, 2025
White-listing WebSocket endpoints in `openai/widgetCSP` ChatGPT Apps SDK apps-sdk	3	247	November 5, 2025
Widget CSP & Domain Warning ChatGPT Apps SDK	4	193	January 9, 2026
MCP results are not rendering in the product list widget ChatGPT Apps SDK chatgpt , apps-sdk , widget	7	188	February 4, 2026
Apps SDK - "Check this link is safe" dialog ChatGPT Apps SDK apps-sdk	9	549	February 10, 2026

Trouble with CSP after publishing dev app

Related topics