AI EngineerJune 15, 202620m

Why MCP and ChatGPT Apps Use Double Iframes — Frédéric Barthelet, Alpic

TL;DR

Double iframes solve a real isolation problem: A single iframe with srcdoc either inherits ChatGPT's origin and CSP or gets sandboxed into a null origin, and both paths break something important for secure app execution.
Relaxing ChatGPT's CSP would be a security disaster: Barthelet explains that if third-party scripts ran in the same origin, an app could read ChatGPT local storage or cookies and send them to its own backend.
A direct iframe to every app domain does not scale: OpenAI would have to keep updating frame-src for an effectively infinite list of MCP app domains, which is why hosts instead route through controlled domains like openaiusercontent.com.
The outer iframe is shared infrastructure, the inner iframe is your app: The host serves the same loader script on isolated subdomains, then that loader injects the app HTML into a nested iframe so each app gets separation without huge hosting complexity.
CSP metadata is one of the easiest ways to break an app: If your view calls an API and you forgot to declare that domain in connect-src, the app may work in dev and fail in production or during ChatGPT store review.
Skybridge's CSP inspector is built around a common pain point: Alpic's open source framework compares domains actually touched by a view against domains declared in MCP metadata, turning a subtle production bug into an immediate red flag during local development.

The Breakdown

ChatGPT and MCP apps use a double iframe not as a quirk, but as the cleanest way to run third-party UI without handing apps access to ChatGPT's cookies, local storage, or parent DOM. Frédéric Barthelet walks through the exact browser security tradeoffs, then shows how missing CSP domains still break real app submissions and how Alpic's Skybridge catches that before production.