Support `frameDomains` → `frame-src` CSP Mapping for External Iframe Embeds

## Problem

MCP Apps currently support `connectDomains` (→ `connect-src`) and `resourceDomains` (→ `img-src`, `font-src`, `media-src`) in `_meta.ui.csp`, but there's no way to allow external iframes. The host always applies:

```
frame-src 'self' blob: data:
```

This blocks legitimate use cases like embedding YouTube videos, Twitter/X posts, LinkedIn posts, or other third-party widgets inside an MCP App.

## Evidence

Console logs from the Claude host:

```
[Host] Extracting metadata from _meta.ui.csp: connectDomains, resourceDomains
[Host] Applied CSP: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data: https://...; connect-src 'self' https://...; frame-src 'self' blob: data:; ...
```

The host reads `connectDomains` and `resourceDomains` but ignores `frameDomains`. Attempting to embed an iframe results in:

```
Refused to frame 'https://www.linkedin.com/' because it violates the following Content Security Policy directive: "frame-src 'self' blob: data:".
```

## Proposed Solution

Add support for `frameDomains` in `_meta.ui.csp` that maps to `frame-src`:

```typescript
_meta: {
  ui: {
    csp: {
      connectDomains: ['https://api.example.com'],
      resourceDomains: ['https://cdn.example.com'],
      frameDomains: ['https://www.youtube.com', 'https://platform.twitter.com', 'https://www.linkedin.com']
    }
  }
}
```

Host would generate:

```
frame-src 'self' blob: data: https://www.youtube.com https://platform.twitter.com https://www.linkedin.com
```

## Use Cases

- Embedding YouTube/Vimeo videos in educational or briefing apps
- Embedding Twitter/X posts for social content curation
- Embedding LinkedIn posts in professional content apps
- Embedding Substack articles or other newsletter content
- Any app that aggregates third-party embeddable content

## Environment

- Claude Desktop (macOS)
- MCP Apps SDK with TypeScript backend
- Widgets using React with official embed URLs


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support `frameDomains` → `frame-src` CSP Mapping for External Iframe Embeds #387

Problem

Evidence

Proposed Solution

Use Cases

Environment

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Support frameDomains → frame-src CSP Mapping for External Iframe Embeds #387

Description

Problem

Evidence

Proposed Solution

Use Cases

Environment

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions

Support `frameDomains` → `frame-src` CSP Mapping for External Iframe Embeds #387