View CSPs not sourced anymore for apps published in store

Hey OpenAI team, noticed a bug on ChatGPT in production today.

Apps built on Skybridge fail to render their views in ChatGPT. The issue is only affecting apps currently available in ChatGPT app store. Views of affected apps fail to download JS and CSS due to browser enforcing CSP. Domains listed in MCP resource metadata are not included in the iFrame CSP.

It’s worth noting adding those same failing apps as a new one in developer mode on ChatGPT (using the same URL) do NOT have the issue.

I did a big of digging around and found the issue: Skybridge apps supports historically both Apps SDK and MCP App through dedicated MCP resources. ChatGPT has been preferably sourcing the Apps SDK resource (defined in openai/outputTemplate metadata on tool) even if the tool also advertised MCP App properties.

We noticed today that ChatGPT now preferably use ui.resourceUri, including for apps already submitted on the store.

The Apps SDK resource (exposed on ui://views/apps-sdk/...html) only exposes Apps SDK metadata and list static assets domains to be whitelisted on openai/widgetCSP.resource_domains.
The MCP App resource (exposed on ui://views/ext-apps/....html) only exposes MCP App metadata and list static assets domains to be whitelisted on ui.csp.resourceDomains.

I believe the switch that was made today from one resource to the other still use the old metadata property key, but on the new resource.

I’ll run additional tests to see if pushing a new version of the resource on affected apps with metadata reflecting both protocol fixes the issue and share the results here.

Confirmed the origin of the issue on Cottages app.

The app details in OpenAI settings pane list the following template:

ui://widgets/apps-sdk/search-cottages.html

Search results for UK holiday cottages

  • openai/widgetCSP

    {
      "redirect_domains": [
        "https://www.cottages.com"
      ],
      "resource_domains": [
        "https://mcp.cottages.com",
        "https://img.chooseacottage.co.uk",
        "https://cdn.openai.com"
      ],
      "connect_domains": [
        "https://mcp.cottages.com",
        "https://api.mapbox.com",
        "https://events.mapbox.com"
      ]
    }
    
  • openai/widgetDomain

    "https://mcp.cottages.com"
    

However, initiating a conversation with ChatGPT with the app included triggers the following XHR call, which references a different resource than the one previously specified ui://widgets/ext-apps/search-cottages.html

https://chatgpt.com/backend-api/ecosystem/widget?force_local=false&uri=connectors%3A%2F%2Fasdk_app_6945254ad31c81919d07ba1c357a1a57&template_pointer=ui%3A%2F%2Fwidgets%2Fext-apps%2Fsearch-cottages.html&resource_path=%2FCottages%2Flink_698f43e16600819198f289e330337c33%2Fsearch-cottages

and the response inluded "csp": null despite both resources referencing CSPs:

{
  "uri": "ui://widgets/apps-sdk/search-cottages.html",
  "_meta": {
    "openai/widgetCSP": {
      "resource_domains": [
        "https://mcp.cottages.com",
        "https://img.chooseacottage.co.uk",
        "https://cdn.openai.com"
      ],
      "connect_domains": [
        "https://mcp.cottages.com",
        "https://api.mapbox.com",
        "https://events.mapbox.com"
      ],
      "redirect_domains": [
        "https://www.cottages.com"
      ]
    },
}
{
  "uri": "ui://widgets/ext-apps/search-cottages.html",
  "_meta": {
    "ui": {
      "csp": {
        "resourceDomains": [
          "https://mcp.cottages.com",
          "https://img.chooseacottage.co.uk",
          "https://cdn.openai.com"
        ],
        "connectDomains": [
          "https://mcp.cottages.com",
          "https://api.mapbox.com",
          "https://events.mapbox.com"
        ],
        "redirectDomains": [
          "https://www.cottages.com"
        ]
      },
      "domain": "https://mcp.cottages.com"
    }
  },