example dotnet angular host

Author: halllo

examples/dotnet-angular-host/README.md

@@ -0,0 +1,83 @@
+# Example: .NET + Angular Host
+
+An MCP host implementation using Angular 21 (frontend) and ASP.NET Core .NET 10 (backend). Functionally equivalent to [`basic-host`](../basic-host), serving as a reference for teams building hosts with the Microsoft stack.
+
+## Key Files
+
+### Frontend (`frontend/`)
+
+- [`src/app/app.ts`](frontend/src/app/app.ts) / [`app.html`](frontend/src/app/app.html) — Root component: server connections, tool call list, query-param deep linking
+- [`src/app/implementation.ts`](frontend/src/app/implementation.ts) — Core logic: server connection, tool calling, AppBridge setup
+- [`src/sandbox.ts`](frontend/src/sandbox.ts) — Compiled by esbuild into `sandbox.js`; loaded by the outer iframe proxy
+- [`public/sandbox.html`](frontend/public/sandbox.html) — Outer iframe proxy page (served from port 8081)
+
+### Backend (`backend/`)
+
+- [`Program.cs`](backend/Program.cs) — ASP.NET Core minimal API: dual-port Kestrel config, sandbox middleware, `/api/servers` endpoint, Angular SPA fallback
+- [`appsettings.json`](backend/appsettings.json) — Server URLs and port configuration
+
+## Getting Started
+
+### 1. Install dependencies
+
+```bash
+# From the repo root
+npm install
+```
+
+### 2. Build the frontend
+
+```bash
+cd examples/dotnet-angular-host/frontend
+npm run build
+```
+
+This runs `ng build` followed by an esbuild step that compiles `sandbox.ts` into `dist/browser/sandbox.js`.
+
+### 3. Configure MCP servers
+
+Edit [`backend/appsettings.json`](backend/appsettings.json) and set the `Servers` array to your MCP server URLs:
+
+```json
+{
+  "Servers": ["http://localhost:3001/mcp"]
+}
+```
+
+### 4. Start the backend
+
+```bash
+cd examples/dotnet-angular-host/backend
+dotnet run
+```
+
+Open `http://localhost:8080`.
+
+## Architecture
+
+The host uses a double-iframe sandbox pattern for secure UI isolation:
+
+```
+Host (port 8080)
+  └── Outer iframe (port 8081) — sandbox proxy (sandbox.html / sandbox.js)
+        └── Inner iframe (srcdoc) — untrusted tool UI
+```
+
+**Why two iframes?**
+
+- The outer iframe runs on a separate origin (port 8081), preventing direct DOM/cookie access to the host
+- The inner iframe receives HTML via `srcdoc` and is restricted by `sandbox` attributes
+- Messages flow through the outer iframe, which validates and relays them bidirectionally
+
+The two ports are served by a single ASP.NET Core process using Kestrel's multi-listener configuration. Middleware branches on `context.Connection.LocalPort` to enforce the origin separation.
+
+## Query Parameters
+
+The host supports deep linking via URL query parameters:
+
+| Parameter | Description                                   |
+| --------- | --------------------------------------------- |
+| `server`  | Pre-select a server by name                   |
+| `tool`    | Pre-select a tool by name                     |
+| `call`    | Set to `true` to auto-invoke the tool on load |
+| `theme`   | Set to `hide` to hide the theme toggle button |

examples/dotnet-angular-host/backend/.gitignore

@@ -0,0 +1,2 @@
+/bin
+/obj

examples/dotnet-angular-host/backend/Program.cs

@@ -0,0 +1,156 @@
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using Microsoft.Extensions.FileProviders;
+
+var builder = WebApplication.CreateBuilder(args);
+
+var hostPort = builder.Configuration.GetValue("HostPort", 8080);
+var sandboxPort = builder.Configuration.GetValue("SandboxPort", 8081);
+
+// Kestrel: listen on two ports for separate origins (security requirement)
+builder.WebHost.ConfigureKestrel(options =>
+{
+    options.ListenLocalhost(hostPort);
+    options.ListenLocalhost(sandboxPort);
+});
+
+builder.Services.AddCors(o =>
+    o.AddDefaultPolicy(p => p.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader()));
+
+var app = builder.Build();
+app.UseCors();
+
+// Resolve Angular dist directory
+var distRelPath = builder.Configuration["FrontendDistPath"] ?? "../frontend/dist/browser";
+var distPath = Path.GetFullPath(Path.Combine(builder.Environment.ContentRootPath, distRelPath));
+
+// ── Sandbox server (port 8081) ──────────────────────────────────────────────
+// Must run before static files middleware so it intercepts all sandbox-port requests.
+app.Use(async (context, next) =>
+{
+    if (context.Connection.LocalPort != sandboxPort)
+    {
+        await next();
+        return;
+    }
+
+    var path = context.Request.Path.Value ?? "/";
+
+    if (path is "/" or "/sandbox.html")
+    {
+        McpUiResourceCsp? csp = null;
+        if (context.Request.Query.TryGetValue("csp", out var cspJson))
+        {
+            try
+            {
+                csp = JsonSerializer.Deserialize<McpUiResourceCsp>(
+                    cspJson!,
+                    new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
+            }
+            catch (JsonException ex)
+            {
+                Console.Error.WriteLine($"[Sandbox] Invalid CSP query param: {ex.Message}");
+            }
+        }
+
+        context.Response.Headers.ContentSecurityPolicy = BuildCspHeader(csp);
+        context.Response.Headers.CacheControl = "no-cache, no-store, must-revalidate";
+        context.Response.Headers.Pragma = "no-cache";
+        context.Response.Headers.Expires = "0";
+        context.Response.ContentType = "text/html";
+        await context.Response.SendFileAsync(Path.Combine(distPath, "sandbox.html"));
+    }
+    else if (path == "/sandbox.js")
+    {
+        context.Response.ContentType = "application/javascript";
+        await context.Response.SendFileAsync(Path.Combine(distPath, "sandbox.js"));
+    }
+    else
+    {
+        context.Response.StatusCode = 404;
+        await context.Response.WriteAsync("Only sandbox files are served on this port");
+    }
+});
+
+// ── Host server (port 8080) ─────────────────────────────────────────────────
+
+// Block sandbox files on host port — they must come from the sandbox origin.
+app.Use(async (context, next) =>
+{
+    if (context.Request.Path.Value is "/sandbox.html" or "/sandbox.js")
+    {
+        context.Response.StatusCode = 404;
+        await context.Response.WriteAsync("Sandbox is served on a different port");
+        return;
+    }
+
+    await next();
+});
+
+// /api/servers — configuration required, no hardcoded fallback
+var servers = builder.Configuration.GetSection("Servers").Get<string[]>()
+    ?? throw new InvalidOperationException("'Servers' configuration is required in appsettings.json");
+
+app.MapGet("/api/servers", () => Results.Json(servers));
+
+// Angular SPA static files
+app.UseStaticFiles(new StaticFileOptions
+{
+    FileProvider = new PhysicalFileProvider(distPath),
+});
+
+// SPA fallback — serve index.html for unknown routes (client-side routing)
+app.MapFallback(async context =>
+{
+    context.Response.ContentType = "text/html";
+    await context.Response.SendFileAsync(Path.Combine(distPath, "index.html"));
+});
+
+Console.WriteLine($"Host server:    http://localhost:{hostPort}");
+Console.WriteLine($"Sandbox server: http://localhost:{sandboxPort}");
+Console.WriteLine($"Frontend dist:  {distPath}");
+Console.WriteLine();
+
+app.Run();
+
+// ── CSP helpers ──────────────────────────────────────────────────────────────
+
+static string BuildCspHeader(McpUiResourceCsp? csp)
+{
+    var rd = string.Join(" ", SanitizeCspDomains(csp?.ResourceDomains));
+    var cd = string.Join(" ", SanitizeCspDomains(csp?.ConnectDomains));
+    var frame = csp?.FrameDomains?.Length > 0
+        ? $"frame-src {string.Join(" ", SanitizeCspDomains(csp.FrameDomains))}"
+        : "frame-src 'none'";
+    var baseUri = csp?.BaseUriDomains?.Length > 0
+        ? $"base-uri {string.Join(" ", SanitizeCspDomains(csp.BaseUriDomains))}"
+        : "base-uri 'none'";
+
+    return string.Join("; ", new[]
+    {
+        "default-src 'self' 'unsafe-inline'",
+        $"script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: {rd}".TrimEnd(),
+        $"style-src 'self' 'unsafe-inline' blob: data: {rd}".TrimEnd(),
+        $"img-src 'self' data: blob: {rd}".TrimEnd(),
+        $"font-src 'self' data: blob: {rd}".TrimEnd(),
+        $"media-src 'self' data: blob: {rd}".TrimEnd(),
+        $"connect-src 'self' {cd}".TrimEnd(),
+        $"worker-src 'self' blob: {rd}".TrimEnd(),
+        frame,
+        "object-src 'none'",
+        baseUri,
+    });
+}
+
+static string[] SanitizeCspDomains(string[]? domains) =>
+    domains?
+        .Where(d => !string.IsNullOrEmpty(d)
+            && !d.Any(c => c is ';' or '\r' or '\n' or '\'' or '"' or ' '))
+        .ToArray() ?? [];
+
+record McpUiResourceCsp(
+    [property: JsonPropertyName("resourceDomains")] string[]? ResourceDomains,
+    [property: JsonPropertyName("connectDomains")] string[]? ConnectDomains,
+    [property: JsonPropertyName("frameDomains")] string[]? FrameDomains,
+    [property: JsonPropertyName("baseUriDomains")] string[]? BaseUriDomains
+);

examples/dotnet-angular-host/backend/Properties/launchSettings.json

@@ -0,0 +1,14 @@
+{
+  "$schema": "https://json.schemastore.org/launchsettings.json",
+  "profiles": {
+    "http": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "applicationUrl": "http://localhost:8080",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    }
+  }
+}

examples/dotnet-angular-host/backend/appsettings.Development.json

@@ -0,0 +1,8 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  }
+}

examples/dotnet-angular-host/backend/appsettings.json

@@ -0,0 +1,13 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "AllowedHosts": "*",
+  "HostPort": 8080,
+  "SandboxPort": 8081,
+  "FrontendDistPath": "../frontend/dist/browser",
+  "Servers": ["http://localhost:3001/mcp"]
+}

examples/dotnet-angular-host/backend/dotnet-host.csproj

@@ -0,0 +1,10 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <RootNamespace>dotnet_host</RootNamespace>
+  </PropertyGroup>
+
+</Project>

examples/dotnet-angular-host/frontend/.editorconfig

@@ -0,0 +1,17 @@
+# Editor configuration, see https://editorconfig.org
+root = true
+
+[*]
+charset = utf-8
+indent_style = space
+indent_size = 2
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.ts]
+quote_type = single
+ij_typescript_use_double_quotes = false
+
+[*.md]
+max_line_length = off
+trim_trailing_whitespace = false

examples/dotnet-angular-host/frontend/.gitignore

@@ -0,0 +1,46 @@
+# See https://docs.github.com/get-started/getting-started-with-git/ignoring-files for more about ignoring files.
+
+/.angular
+
+# Compiled output
+/dist
+/tmp
+/out-tsc
+/bazel-out
+
+# Node
+/node_modules
+npm-debug.log
+yarn-error.log
+
+# IDEs and editors
+.idea/
+.project
+.classpath
+.c9/
+*.launch
+.settings/
+*.sublime-workspace
+
+# Visual Studio Code
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+!.vscode/mcp.json
+.history/*
+
+# Miscellaneous
+/.angular/cache
+.sass-cache/
+/connect.lock
+/coverage
+/libpeerconnection.log
+testem.log
+/typings
+__screenshots__/
+
+# System files
+.DS_Store
+Thumbs.db

examples/dotnet-angular-host/frontend/.prettierrc

@@ -0,0 +1,12 @@
+{
+  "printWidth": 100,
+  "singleQuote": true,
+  "overrides": [
+    {
+      "files": "*.html",
+      "options": {
+        "parser": "angular"
+      }
+    }
+  ]
+}