Mcp Apps 3 : Integrate MCP Apps Sample Agent into Orchestrator Sample#852
Mcp Apps 3 : Integrate MCP Apps Sample Agent into Orchestrator Sample#852sugoi-yuzuru merged 1 commit intomainfrom
Conversation
sugoi-yuzuru
force-pushed
the
mcp_3_orche
branch
from
fdbc6e1 to
6aaaef6
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request successfully integrates the MCP Apps demo into the Angular Orchestrator Sample by adding a new mcp_app_proxy agent and the corresponding client-side components. The implementation uses a sandboxed iframe approach for rendering MCP apps, which is a good security practice.
My review includes a critical security recommendation regarding the sandbox implementation, along with several medium-severity suggestions to improve code quality and maintainability by removing unused imports and addressing minor issues in documentation and code style. Overall, the changes are well-structured and the new sample is a valuable addition.
| // TODO: Make the sandbox URL configurable. To ensure CORS encapsulation, the sandbox | ||
| // should be served from a different origin than the orchestrator. | ||
| const sandboxUrl = 'sandbox_iframe/sandbox.html'; |
There was a problem hiding this comment.
The TODO comment correctly identifies a critical security risk. Loading the sandbox iframe from the same origin (sandbox_iframe/sandbox.html) significantly reduces the security benefits of the sandbox attribute, as same-origin iframes have ways to bypass some restrictions. For robust security, the sandbox content should be served from a completely separate origin (e.g., sandbox.example.com). This should be prioritized to prevent potential cross-site scripting (XSS) vulnerabilities where the sandboxed content could affect the main application.
sugoi-yuzuru
force-pushed
the
mcp_2_mcp_relay_agent
branch
from
ac1b930 to
83764f8
Compare
sugoi-yuzuru
force-pushed
the
mcp_3_orche
branch
from
6aaaef6 to
d035e04
Compare
sugoi-yuzuru
force-pushed
the
mcp_2_mcp_relay_agent
branch
from
83764f8 to
ff422da
Compare
sugoi-yuzuru
force-pushed
the
mcp_3_orche
branch
from
d035e04 to
11b382a
Compare
… and supported catalog IDs.
sugoi-yuzuru
force-pushed
the
mcp_3_orche
branch
from
11b382a to
c979ef6
Compare
2 participants
Description
This PR incorporates the MCP Apps demo into the Angular Orchestrator Sample.
It completes the following 3 staged PRs into a demo.
0: #791 introduced a new Calculator App resource in the Sample MCP Server
1: #801 introduced a new A2UI Angular Component
McpAppsthat can containerize and display MCP Apps resrource as a A2UI Component/2: #815 set up a standalone A2A Agent that show cases how the relay of MCP Apps retrieved from MCP Servers can be translated into A2UI protocol for A2UI client consumption.
and then 3: this PR updates the existing Orchestrator A2UI demo to integrate with the A2A Agent prepared in #2.
See demo: https://screencast.googleplex.com/cast/NTU3NTU5MTg4MDI5NDQwMHxhZTA1OGM1Mi1kNg
Pre-launch Checklist
If you need help, consider asking for advice on the discussion board.