Hey OpenAI team, noticed a bug on ChatGPT in production today.
Apps built on Skybridge fail to render their views in ChatGPT. The issue is only affecting apps currently available in ChatGPT app store. Views of affected apps fail to download JS and CSS due to browser enforcing CSP. Domains listed in MCP resource metadata are not included in the iFrame CSP.
It’s worth noting adding those same failing apps as a new one in developer mode on ChatGPT (using the same URL) do NOT have the issue.
I did a big of digging around and found the issue: Skybridge apps supports historically both Apps SDK and MCP App through dedicated MCP resources. ChatGPT has been preferably sourcing the Apps SDK resource (defined in openai/outputTemplate metadata on tool) even if the tool also advertised MCP App properties.
We noticed today that ChatGPT now preferably use ui.resourceUri, including for apps already submitted on the store.
The Apps SDK resource (exposed on ui://views/apps-sdk/...html) only exposes Apps SDK metadata and list static assets domains to be whitelisted on openai/widgetCSP.resource_domains.
The MCP App resource (exposed on ui://views/ext-apps/....html) only exposes MCP App metadata and list static assets domains to be whitelisted on ui.csp.resourceDomains.
I believe the switch that was made today from one resource to the other still use the old metadata property key, but on the new resource.
I’ll run additional tests to see if pushing a new version of the resource on affected apps with metadata reflecting both protocol fixes the issue and share the results here.