MCP Apps and the Atomized Web: A New Cross-Origin Attack Surface
Back to all posts

MCP Apps and the Atomized Web: A New Cross-Origin Attack Surface

7 min read
#mcp-security #agentic-ai #web-security #supply-chain

“I can just take this and I can just decompose it to atoms and let my agent build them for me.” — Ido Salomon, MCP-UI co-creator, AI Engineer World’s Fair, May 2026

Watch the full presentation: MCP UI: Extending the Frontier — Liad Yosef and Ido Salomon

The Web Is Getting Decomposed

On January 26, 2026, Anthropic, OpenAI, and the MCP-UI open-source community jointly launched MCP Apps — the first official extension to the Model Context Protocol. The idea: instead of navigating a dozen browser tabs, an AI assistant pulls interactive UI widgets from third-party MCP servers and assembles them directly inside the conversation. Booking sends a venue card. Shopify sends a checkout widget. Google sends a calendar slice. The model stitches them together on demand.

By May 2026, the spec was live across Claude, ChatGPT, VS Code, and Goose. The Ido Salomon / Liad Yosef talk at the AI Engineer conference calls this the “atoms” model — every major service becomes a provider of UI primitives that agents compose contextually rather than destinations users navigate to. It is genuinely useful. It is also a multi-origin untrusted content rendering problem that browsers spent 20 years developing defenses against.

How It Works (and Why It’s Different)

A tool call in MCP can now return a ui:// resource — bundled HTML and JavaScript that the host renders in a sandboxed iframe. Interaction flows back to the host via JSON-RPC over postMessage, not directly to the third-party backend. The AI stays in the loop, seeing every click and selection in real time.

The security model rests on a double-iframe architecture pioneered by the MCP-UI community and now formalized in the spec: an outer sandbox proxy hosted on a fixed, allowlisted origin wraps an inner iframe that renders the untrusted widget. The host whitelists one domain (the proxy), never the full open internet. The MCP server declares its own CSP via _meta.ui.csp — listing connectDomains, resourceDomains, and frameDomains — and the proxy enforces it.

This architecture is sound in principle. The implementation gaps are where things get interesting.

Four Attack Vectors Worth Watching

1. UI Supply Chain Compromise

In September 2025, an unofficial Postmark MCP server with 1,500 weekly downloads was quietly modified. A single BCC field was added to the email-sending tool, silently copying every email to an attacker’s address. No error. The tool worked perfectly — for two parties.

Extend that pattern to widgets. A payment card widget, an OAuth consent form, or a booking checkout gets silently modified post-install. The HTML looks identical. But now it carries a keylogger, a modified postMessage payload, or a pixel overlay that makes “Cancel” register as “Confirm Purchase.” With 12,000+ public MCP servers indexed across registries, this is the npm supply chain problem — except the blast radius includes real-time user actions and financial authorizations.

2. Indirect Prompt Injection via Widget Content

MCP Apps supports generative UI: the model itself generates HTML on the fly in response to external data. Combine that with tool results landing directly in the LLM’s context window, and you have an obvious injection path. A malicious email, a poisoned API response, or a crafted document rendered inside a widget can embed instructions that the model cannot reliably distinguish from legitimate content. Tool output is just tokens.

Unit 42 (Palo Alto Networks) demonstrated three concrete attack vectors via MCP sampling: resource theft, conversation hijacking, and covert tool invocation — all without user awareness.

3. postMessage Origin Validation Failures

The entire widget-to-host communication runs over postMessage. Getting the receiver-side origin check right is non-negotiable — and frameworks get it wrong. VS Code’s early MCP Apps implementation tried to read event.source.origin on cross-origin frames to filter messages, but that property throws a SecurityError when the frame is cross-origin. The correct property is event.origin. A subtle, standard browser mistake. In a production context, such a bug can allow a malicious inner iframe to bypass origin checks and send messages the host treats as trusted.

The MCP Apps spec establishes a message hierarchy from “notification” up to “tool call” and “prompt” — the latter effectively handing control to the model. A spoofed message that escalates from notification to tool call is a privilege escalation with no browser-level guardrail.

4. Widget-Declared CSP as a Trust Inversion

The entity most incentivized to declare permissive security policies — the widget author who wants their CDN, analytics, and fonts to load — is the one writing the policy that the proxy faithfully enforces. A permissive connect-src in a widget’s CSP metadata opens exfiltration paths. An overly broad frame-src enables nested iframe attacks. The spec requires restrictive defaults when _meta.ui.csp fields are empty, but there is no registry-level review of what widget authors actually declare.

The Structural Gaps

The MCP Apps working group has done genuine security engineering: the double-iframe design is correct, postMessage-only communication is the right call, and the CSP-per-widget model is better than no policy at all. But several structural gaps remain:

  • No widget registry vetting. 12,000+ public MCP servers. No equivalent of App Store review.
  • Host-dependent security. Three major hosts implement the sandbox differently — different origin schemes, different CSP enforcement, different sandbox attributes. A widget that’s safe in one host may not be in another.
  • No widget identity attestation. When Claude renders a “Google Calendar” widget, it’s rendering HTML from a URL that claims to be Google Calendar. There’s no cryptographic binding between the widget’s runtime identity and a verified publisher.
  • Cross-widget context poisoning. Widgets from different providers share the model’s context window. Provider A’s widget can inject instructions that influence how the model interprets Provider B’s widget. There is no same-origin policy for an LLM’s context window.

The Browser Parallel

The web browser took two decades to develop the primitives we now take for granted: same-origin policy, CSP, X-Frame-Options, Subresource Integrity, certificate pinning. Each was a reaction to an attack discovered in production.

MCP Apps is rebuilding a version of that multi-origin content model inside AI chat hosts — in months, at billion-user scale. The iframe is back. Cross-origin postMessage is back. Untrusted third-party UI is back. And the host doing the rendering is a large language model: non-deterministic, context-sensitive, and vulnerable to prompt injection in ways no browser engine ever was.

The security community spent 20 years cleaning up after the original web architects. This time, the conversation should start before the CVEs pile up.

Alex Ivanov · AI Security Blog · May 2026

Tags: #mcp-security #agentic-ai #llm-security #iframe-security #supply-chain #prompt-injection

Sources

  1. MCP Apps — Bringing UI Capabilities To MCP Clients — Model Context Protocol Blog, Jan 26 2026
  2. MCP Apps are here: Rendering interactive UIs in AI clients — WorkOS, Jan 27 2026
  3. I Reverse Engineered ChatGPT Apps Iframe Sandbox — dev.to, Jan 21 2026
  4. MCP App CSP Explained: Why Your Widget Won’t Render — dev.to, Apr 2 2026
  5. MCP Server Supply Chain Risk: When Your Agent’s Tools Become Attack Vectors — tianpan.co, Apr 10 2026
  6. ‘By Design’ Flaw in MCP Could Enable Widespread AI Supply Chain Attacks — SecurityWeek, Apr 14 2026
  7. MCP STDIO Command Injection: Full Vulnerability Advisory — OX Security, Apr 14 2026
  8. New Prompt Injection Attack Vectors Through MCP Sampling — Unit 42 / Palo Alto Networks, Dec 4 2025
  9. Indirect Prompt Injection in MCP Tools: 10 Real Examples & Defenses — StackOne, Feb 25 2026
  10. MCP Security in 2026: How to Protect Your AI Agents from Prompt Injection — dev.to, Apr 19 2026
  11. The Missing Primitives for Trustworthy AI Agents — Sakura Sky
  12. MCP Apps: Uncaught SecurityError thrown when communicating with iframe — GitHub / Microsoft VS Code
  13. OWASP Top 10 Agents & AI Vulnerabilities (2026 Cheat Sheet) — Alex Ewerlöf, Mar 9 2026
  14. Securing the Model Context Protocol (MCP): Risks, Controls, and Mitigations — arXiv