releases.shpreview

MCP CSP domains sanitized against injection

@ai-sdk/react@4.0.29

July 14, 2026AI SDKView original ↗
1 fixThis release1 fixBug fixesAI-tallied from the release notes

Patch Changes

  • 519c72b: fix (react/mcp-apps): sanitize server-supplied CSP domains in getMCPAppCSP so values cannot inject extra directives, sources, or policies into the generated Content-Security-Policy

Fetched July 14, 2026