Skip to content

mcp-data-platform-v1.39.1

Choose a tag to compare

View all tags
@github-actions github-actions released this 11 Mar 08:14
· 268 commits to main since this release
v1.39.1
e780907
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Critical Fix: Charts and External Content in Public Viewer

v1.39.0 introduced the public viewer with a Content-Security-Policy that was too restrictive for HTML content. User-uploaded dashboards that load external libraries (Chart.js, D3, Plotly, Google Fonts, etc.) from CDNs rendered blank charts because the CSP blocked all external script sources.

Root cause: The public viewer wraps content in a blob: URL iframe. The previous code assumed blob: iframes do not inherit the parent document's CSP — this is incorrect. Modern browsers (Chromium, Firefox) propagate CSP to blob: origin iframes, so the parent's script-src 'unsafe-inline' policy blocked every <script src="https://..."> tag inside the iframe.

Fix: publicCSP() now allows https: sources for scripts, styles, fonts, images, and network requests for both HTML and JSX content types. Security isolation for embedded content is provided by the iframe's sandbox="allow-scripts" attribute (opaque origin, no top navigation, no form submission), not by CSP.

Before / After

Content Type v1.39.0 v1.39.1
HTML with inline JS only Works Works
HTML loading Chart.js from CDN Blank charts Works
HTML loading D3/Plotly from CDN Blank visualizations Works
JSX with esm.sh imports Works (allow-listed) Works (generalized)

Share Dialog Options

The backend already supported hide_expiration and notice_text fields on shares (added in v1.39.0), but the Share Dialog had no UI controls for them. This release adds a collapsible Options section to the dialog:

  • Hide expiration notice — checkbox, suppresses the countdown in the public viewer
  • Notice text — text input for custom notice text (replaces the default "Proprietary & Confidential..." message)

Options are only sent when creating public links (not user shares).

Iframe Layout Fix

The public viewer iframe used a hardcoded height:80vh inline style that cut off tall content and left empty space below short content. Replaced with a flex layout:

  • .content is now a flex column container
  • Iframes use flex: 1; min-height: 60vh — they expand to fill available vertical space with a 60vh floor
  • Non-iframe content (markdown, inline SVG) is unaffected

Files Changed

File What
pkg/portal/public.go Fixed CSP for blob: iframe inheritance; removed hardcoded height:80vh
pkg/portal/public_test.go Updated CSP assertions
pkg/portal/templates/public_viewer.html Flex layout CSS for .content container
ui/src/components/ShareDialog.tsx Collapsible Options section with checkbox + text input
ui/src/api/portal/types.ts Added hide_expiration, notice_text to Share interface
ui/src/api/portal/hooks.ts Added fields to useCreateShare mutation type
ui/src/mocks/handlers.ts Mock echoes new fields in share creation response

Installation

Homebrew (macOS)

brew install txn2/tap/mcp-data-platform

Claude Code CLI

claude mcp add mcp-data-platform -- mcp-data-platform

Docker

docker pull ghcr.io/txn2/mcp-data-platform:v1.39.1

Verification

All release artifacts are signed with Cosign. Verify with:

cosign verify-blob --bundle mcp-data-platform_1.39.1_linux_amd64.tar.gz.sigstore.json \
  mcp-data-platform_1.39.1_linux_amd64.tar.gz
Assets 25
Loading