modelcontextprotocol · jonathanhefner · Feb 3, 2026 · Feb 2, 2026
diff --git a/docs/overview.md b/docs/overview.md
@@ -201,7 +201,7 @@ See the [Display Modes](https://github.com/modelcontextprotocol/ext-apps/blob/ma
 
 All Views run in sandboxed iframes with no access to the Host's DOM, cookies, or storage. Communication happens only through [`postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage), making it auditable.
 
-Servers declare which external domains their UI needs via [CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) metadata. Hosts enforce these declarations — if no domains are declared, no external connections are allowed. This "restrictive by default" approach prevents data exfiltration to undeclared servers.
+Servers declare which network domains their UI needs via [CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) metadata. Hosts enforce these declarations — if no domains are declared, no external connections are allowed. This "restrictive by default" approach prevents data exfiltration to undeclared servers.
 
 See the [Security Implications](https://github.com/modelcontextprotocol/ext-apps/blob/main/specification/2026-01-26/apps.mdx#security-implications) section of the specification for the threat model and mitigations.
 

diff --git a/src/generated/schema.json b/src/generated/schema.json
diff --git a/src/generated/schema.ts b/src/generated/schema.ts
diff --git a/src/server/index.examples.ts b/src/server/index.examples.ts
@@ -164,7 +164,7 @@ function registerAppResource_basicUsage(server: McpServer) {
 }
 
 /**
- * Example: registerAppResource with CSP configuration for external domains.
+ * Example: registerAppResource with CSP configuration for network access.
  */
 function registerAppResource_withCsp(
   server: McpServer,

diff --git a/src/server/index.ts b/src/server/index.ts
@@ -270,7 +270,7 @@ export function registerAppTool<
  * );
  * ```
  *
- * @example With CSP configuration for external domains
+ * @example With CSP configuration for network access
  * ```ts source="./index.examples.ts#registerAppResource_withCsp"
  * registerAppResource(
  *   server,

diff --git a/src/spec.types.ts b/src/spec.types.ts
@@ -539,8 +539,7 @@ export interface McpUiInitializedNotification {
 /**
  * @description Content Security Policy configuration for UI resources.
  *
- * Servers declare which external origins their UI needs to access.
- * Hosts use this to enforce appropriate CSP headers.
+ * Servers declare which origins their UI requires. Hosts use this to enforce appropriate CSP headers.
  *
  * > [!IMPORTANT]
  * > MCP App HTML runs in a sandboxed iframe with no same-origin server.
@@ -552,7 +551,7 @@ export interface McpUiResourceCsp {
    * @description Origins for network requests (fetch/XHR/WebSocket).
    *
    * - Maps to CSP `connect-src` directive
-   * - Empty or omitted → no external connections (secure default)
+   * - Empty or omitted → no network connections (secure default)
    *
    * @example
    * ```ts
@@ -565,7 +564,7 @@ export interface McpUiResourceCsp {
    *
    * - Maps to CSP `img-src`, `script-src`, `style-src`, `font-src`, `media-src` directives
    * - Wildcard subdomains supported: `https://*.example.com`
-   * - Empty or omitted → no external resources (secure default)
+   * - Empty or omitted → no network resources (secure default)
    *
    * @example
    * ```ts