Mcp Apps 1 : Introducing McpApps A2UI Component#801
Merged
sugoi-yuzuru merged 8 commits intomainfrom Mar 13, 2026
Merged
Conversation
sugoi-yuzuru
requested review from
ditman,
dmandar,
gspencergoog,
jacobsimionato,
nan-yu,
yjbanov and
zeroasterisk
as code owners
sugoi-yuzuru
force-pushed
the
mcp_1_sample_agent
branch
from
d3a7e57 to
8d73f8a
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This PR introduces a new McpApps A2UI component for sandboxing web applications using a double iframe approach. However, the current implementation has several critical security flaws that undermine this isolation. Specifically, the sandbox iframe lacks origin validation for incoming messages, and the sandbox configuration for both the outer and inner iframes includes allow-same-origin, which allows untrusted content to potentially access the main application's DOM if they share the same origin. These issues could lead to Cross-Site Scripting (XSS) and sandbox escape. Additionally, there's a minor point about code brittleness due to bypassing type safety.
samples/client/angular/projects/orchestrator/public/sandbox_iframe/sandbox.ts
Show resolved
Hide resolved
samples/client/angular/projects/orchestrator/src/a2ui-catalog/mcp-app.ts
Outdated
Show resolved
Hide resolved
samples/client/angular/projects/orchestrator/src/a2ui-catalog/mcp-app.ts
Outdated
Show resolved
Hide resolved
samples/client/angular/projects/orchestrator/public/sandbox_iframe/sandbox.ts
Outdated
Show resolved
Hide resolved
samples/client/angular/projects/orchestrator/src/a2ui-catalog/mcp-app.ts
Show resolved
Hide resolved
samples/client/angular/projects/orchestrator/src/a2ui-catalog/mcp-app.ts
Outdated
Show resolved
Hide resolved
Collaborator
|
Can we fix the Gemini code review comments first? |
sugoi-yuzuru
force-pushed
the
mcp_1_sample_agent
branch
3 times, most recently
from
ecc5226 to
773c1ac
Compare
sugoi-yuzuru
force-pushed
the
mcp_1_sample_agent
branch
from
773c1ac to
436b804
Compare
jgindin
reviewed
Mar 10, 2026
samples/client/angular/projects/orchestrator/src/a2ui-catalog/mcp-app.ts
Outdated
Show resolved
Hide resolved
samples/client/angular/projects/orchestrator/src/a2ui-catalog/mcp-app.ts
Outdated
Show resolved
Hide resolved
samples/client/angular/projects/orchestrator/public/sandbox_iframe/sandbox.ts
Outdated
Show resolved
Hide resolved
samples/client/angular/projects/orchestrator/public/sandbox_iframe/sandbox.ts
Outdated
Show resolved
Hide resolved
samples/client/angular/projects/orchestrator/src/a2ui-catalog/mcp-app.ts
Show resolved
Hide resolved
jonsharkey
reviewed
Mar 10, 2026
samples/client/angular/projects/orchestrator/public/sandbox_iframe/sandbox.ts
Outdated
Show resolved
Hide resolved
jonsharkey
reviewed
Mar 10, 2026
Collaborator
jonsharkey
left a comment
jonsharkey
left a comment
There was a problem hiding this comment.
Overall LGTM, but I don't feel like I'm an expert enough in MCP or Angular to really know. I'll watch the other reviews come in too.
suyangw-g
reviewed
Mar 10, 2026
samples/client/angular/projects/orchestrator/src/a2ui-catalog/mcp-app.ts
Outdated
Show resolved
Hide resolved
suyangw-g
reviewed
Mar 10, 2026
samples/client/angular/projects/orchestrator/src/a2ui-catalog/mcp-app.ts
Show resolved
Hide resolved
suyangw-g
reviewed
Mar 10, 2026
samples/client/angular/projects/orchestrator/src/a2ui-catalog/mcp-app.ts
Show resolved
Hide resolved
6 tasks
suyangw-g
reviewed
Mar 11, 2026
samples/client/angular/projects/orchestrator/src/a2ui-catalog/mcp-app.ts
Show resolved
Hide resolved
jgindin
reviewed
Mar 11, 2026
samples/client/angular/projects/orchestrator/src/a2ui-catalog/mcp-app.ts
Outdated
Show resolved
Hide resolved
samples/client/angular/projects/orchestrator/public/sandbox_iframe/sandbox.ts
Outdated
Show resolved
Hide resolved
samples/client/angular/projects/orchestrator/public/sandbox_iframe/sandbox.ts
Show resolved
Hide resolved
samples/client/angular/projects/orchestrator/src/a2ui-catalog/mcp-app.ts
Outdated
Show resolved
Hide resolved
jgindin
reviewed
Mar 11, 2026
samples/client/angular/projects/orchestrator/public/sandbox_iframe/README.md
Show resolved
Hide resolved
Squashed commits: - feat: Add MCP Calculator app & McpApp rendering component - chore: Update the package.json in the Angular client samples
…for setup, and ensure sandbox attribute is always present.
…box iframe using an effect.
sugoi-yuzuru
force-pushed
the
mcp_1_sample_agent
branch
from
bd931cd to
d6793ff
Compare
…t for default allowed features.
jgindin
reviewed
Mar 12, 2026
samples/client/angular/projects/orchestrator/src/a2ui-catalog/mcp-app.ts
Outdated
Show resolved
Hide resolved
samples/client/angular/projects/orchestrator/src/a2ui-catalog/mcp-app.ts
Show resolved
Hide resolved
samples/client/angular/projects/orchestrator/src/a2ui-catalog/mcp-app.ts
Show resolved
Hide resolved
jgindin
approved these changes
Mar 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR introduces an Angular A2UI Component named
McpApps. McpApps component leverages the McpApps API to create a double-layered iframe (iframe sandboxing) and inserts a HTML bundle (HTML/JS/CSS) passed into the component as an A2UI data input field into the inner-iframe to load arbitrary web-application into an A2UI component.The idea is that A2UI Agent can load an MCP Application resource from an external MCP server and simply relay that application as a
contentof an McpApp A2UI Component.The McpApp A2UI Component will take care of the double-layered iframing and the MCP Application's message-based communications to its host application and server. Attached is an overview of what this PR achieves.
In forthcoming changes, this McpApp A2UI component will integrate with the
OrchestratorAgent sample and will be loading theCalculatorMCP Application that was introduced in #791Pre-launch Checklist
If you need help, consider asking for advice on the discussion board.