diff --git a/examples/basic-host/package.json b/examples/basic-host/package.json
index 78cf826f..cb775a64 100644
--- a/examples/basic-host/package.json
+++ b/examples/basic-host/package.json
@@ -25,6 +25,7 @@
     "@vitejs/plugin-react": "^4.3.4",
     "concurrently": "^9.2.1",
     "cors": "^2.8.5",
+    "cross-env": "^10.1.0",
     "express": "^5.1.0",
     "prettier": "^3.6.2",
     "vite": "^6.0.0",
diff --git a/examples/basic-host/src/implementation.ts b/examples/basic-host/src/implementation.ts
index 703ab6a5..e29fb7fe 100644
--- a/examples/basic-host/src/implementation.ts
+++ b/examples/basic-host/src/implementation.ts
@@ -45,6 +45,13 @@ interface UiResourceData {
   csp?: {
     connectDomains?: string[];
     resourceDomains?: string[];
+    frameDomains?: string[];
+    baseUriDomains?: string[];
+  };
+  permissions?: {
+    camera?: boolean;
+    microphone?: boolean;
+    geolocation?: boolean;
   };
 }
 
@@ -108,15 +115,16 @@ async function getUiResource(serverInfo: ServerInfo, uri: string): Promise<UiRes
 
   const html = "blob" in content ? atob(content.blob) : content.text;
 
-  // Extract CSP metadata from resource content._meta.ui.csp (or content.meta for Python SDK)
+  // Extract CSP and permissions metadata from resource content._meta.ui (or content.meta for Python SDK)
   log.info("Resource content keys:", Object.keys(content));
   log.info("Resource content._meta:", (content as any)._meta);
 
   // Try both _meta (spec) and meta (Python SDK quirk)
   const contentMeta = (content as any)._meta || (content as any).meta;
   const csp = contentMeta?.ui?.csp;
+  const permissions = contentMeta?.ui?.permissions;
 
-  return { html, csp };
+  return { html, csp, permissions };
 }
 
 
@@ -162,10 +170,10 @@ export async function initializeApp(
     new PostMessageTransport(iframe.contentWindow!, iframe.contentWindow!),
   );
 
-  // Load inner iframe HTML with CSP metadata
-  const { html, csp } = await appResourcePromise;
-  log.info("Sending UI resource HTML to MCP App", csp ? `(CSP: ${JSON.stringify(csp)})` : "");
-  await appBridge.sendSandboxResourceReady({ html, csp });
+  // Load inner iframe HTML with CSP and permissions metadata
+  const { html, csp, permissions } = await appResourcePromise;
+  log.info("Sending UI resource HTML to MCP App", csp ? `(CSP: ${JSON.stringify(csp)})` : "", permissions ? `(Permissions: ${JSON.stringify(permissions)})` : "");
+  await appBridge.sendSandboxResourceReady({ html, csp, permissions });
 
   // Wait for inner iframe to be ready
   log.info("Waiting for MCP App to initialize...");
diff --git a/examples/basic-host/src/sandbox.ts b/examples/basic-host/src/sandbox.ts
index 7f27d0b9..b932aacb 100644
--- a/examples/basic-host/src/sandbox.ts
+++ b/examples/basic-host/src/sandbox.ts
@@ -57,9 +57,16 @@ const PROXY_READY_NOTIFICATION: McpUiSandboxProxyReadyNotification["method"] =
 // intercepted here (not relayed) because the Sandbox uses it to configure and
 // load the inner iframe with the Guest UI HTML content.
 // Build CSP meta tag from domains
-function buildCspMetaTag(csp?: { connectDomains?: string[]; resourceDomains?: string[] }): string {
+function buildCspMetaTag(csp?: {
+  connectDomains?: string[];
+  resourceDomains?: string[];
+  frameDomains?: string[];
+  baseUriDomains?: string[];
+}): string {
   const resourceDomains = csp?.resourceDomains?.join(" ") ?? "";
   const connectDomains = csp?.connectDomains?.join(" ") ?? "";
+  const frameDomains = csp?.frameDomains?.join(" ");
+  const baseUriDomains = csp?.baseUriDomains?.join(" ");
 
   // Base CSP directives
   const directives = [
@@ -69,23 +76,47 @@ function buildCspMetaTag(csp?: { connectDomains?: string[]; resourceDomains?: st
     `img-src 'self' data: blob: ${resourceDomains}`.trim(),
     `font-src 'self' data: blob: ${resourceDomains}`.trim(),
     `connect-src 'self' ${connectDomains}`.trim(),
-    "frame-src 'none'",
+    // Use frameDomains if provided, otherwise default to 'none'
+    frameDomains ? `frame-src ${frameDomains}` : "frame-src 'none'",
     "object-src 'none'",
-    "base-uri 'self'",
+    // Use baseUriDomains if provided, otherwise default to 'self'
+    baseUriDomains ? `base-uri ${baseUriDomains}` : "base-uri 'self'",
   ];
 
   return `<meta http-equiv="Content-Security-Policy" content="${directives.join("; ")}">`;
 }
 
+// Build iframe allow attribute from permissions
+function buildAllowAttribute(permissions?: {
+  camera?: boolean;
+  microphone?: boolean;
+  geolocation?: boolean;
+}): string {
+  if (!permissions) return "";
+
+  const allowList: string[] = [];
+  if (permissions.camera) allowList.push("camera");
+  if (permissions.microphone) allowList.push("microphone");
+  if (permissions.geolocation) allowList.push("geolocation");
+
+  return allowList.join("; ");
+}
+
 window.addEventListener("message", async (event) => {
   if (event.source === window.parent) {
     // NOTE: In production you'll also want to validate `event.origin` against
     // your Host domain.
     if (event.data && event.data.method === RESOURCE_READY_NOTIFICATION) {
-      const { html, sandbox, csp } = event.data.params;
+      const { html, sandbox, csp, permissions } = event.data.params;
       if (typeof sandbox === "string") {
         inner.setAttribute("sandbox", sandbox);
       }
+      // Set Permission Policy allow attribute if permissions are requested
+      const allowAttribute = buildAllowAttribute(permissions);
+      if (allowAttribute) {
+        console.log("[Sandbox] Setting allow attribute:", allowAttribute);
+        inner.setAttribute("allow", allowAttribute);
+      }
       if (typeof html === "string") {
         // Inject CSP meta tag at the start of <head> if CSP is provided
         console.log("[Sandbox] Received CSP:", csp);
diff --git a/examples/basic-server-react/package.json b/examples/basic-server-react/package.json
index 5927040c..e21d4484 100644
--- a/examples/basic-server-react/package.json
+++ b/examples/basic-server-react/package.json
@@ -26,6 +26,7 @@
     "@vitejs/plugin-react": "^4.3.4",
     "concurrently": "^9.2.1",
     "cors": "^2.8.5",
+    "cross-env": "^10.1.0",
     "express": "^5.1.0",
     "typescript": "^5.9.3",
     "vite": "^6.0.0",
diff --git a/examples/basic-server-vanillajs/package.json b/examples/basic-server-vanillajs/package.json
index 5bc5a71c..5554546e 100644
--- a/examples/basic-server-vanillajs/package.json
+++ b/examples/basic-server-vanillajs/package.json
@@ -21,6 +21,7 @@
     "@types/node": "^22.0.0",
     "concurrently": "^9.2.1",
     "cors": "^2.8.5",
+    "cross-env": "^10.1.0",
     "express": "^5.1.0",
     "typescript": "^5.9.3",
     "vite": "^6.0.0",
diff --git a/examples/budget-allocator-server/package.json b/examples/budget-allocator-server/package.json
index 86a95100..6a1f325c 100644
--- a/examples/budget-allocator-server/package.json
+++ b/examples/budget-allocator-server/package.json
@@ -25,6 +25,7 @@
     "@types/node": "^22.0.0",
     "concurrently": "^9.2.1",
     "cors": "^2.8.5",
+    "cross-env": "^10.1.0",
     "express": "^5.1.0",
     "typescript": "^5.9.3",
     "vite": "^6.0.0",
diff --git a/examples/cohort-heatmap-server/package.json b/examples/cohort-heatmap-server/package.json
index aff80002..499f46a8 100644
--- a/examples/cohort-heatmap-server/package.json
+++ b/examples/cohort-heatmap-server/package.json
@@ -29,6 +29,7 @@
     "@vitejs/plugin-react": "^4.3.4",
     "concurrently": "^9.2.1",
     "cors": "^2.8.5",
+    "cross-env": "^10.1.0",
     "express": "^5.1.0",
     "typescript": "^5.9.3",
     "vite": "^6.0.0",
diff --git a/examples/customer-segmentation-server/package.json b/examples/customer-segmentation-server/package.json
index b8b7f197..157efa01 100644
--- a/examples/customer-segmentation-server/package.json
+++ b/examples/customer-segmentation-server/package.json
@@ -25,6 +25,7 @@
     "@types/node": "^22.0.0",
     "concurrently": "^9.2.1",
     "cors": "^2.8.5",
+    "cross-env": "^10.1.0",
     "express": "^5.1.0",
     "typescript": "^5.9.3",
     "vite": "^6.0.0",
diff --git a/examples/scenario-modeler-server/package.json b/examples/scenario-modeler-server/package.json
index 95c13fc1..33b14c58 100644
--- a/examples/scenario-modeler-server/package.json
+++ b/examples/scenario-modeler-server/package.json
@@ -30,6 +30,7 @@
     "@vitejs/plugin-react": "^4.3.4",
     "concurrently": "^9.2.1",
     "cors": "^2.8.5",
+    "cross-env": "^10.1.0",
     "express": "^5.1.0",
     "typescript": "^5.9.3",
     "vite": "^6.0.0",
diff --git a/examples/simple-host/sandbox.html b/examples/simple-host/sandbox.html
new file mode 100644
index 00000000..14849447
--- /dev/null
+++ b/examples/simple-host/sandbox.html
@@ -0,0 +1,128 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <!-- CSP is set via HTTP response headers in serve.ts -->
+    <!-- Note: No CSP meta tag here - CSP is set on the actual remote HTML content -->
+    <!-- and needs to be super relaxed otherwise nothing loads -->
+    <title>MCP-UI Proxy</title>
+    <style>
+      html,
+      body {
+        margin: 0;
+        height: 100vh;
+        width: 100vw;
+      }
+      body {
+        display: flex;
+        flex-direction: column;
+      }
+      * {
+        box-sizing: border-box;
+      }
+      iframe {
+        background-color: transparent;
+        border: 0px none transparent;
+        padding: 0px;
+        overflow: hidden;
+        flex-grow: 1;
+      }
+    </style>
+  </head>
+  <body>
+    <script>
+      // Security checks
+      if (window.self === window.top) {
+        throw new Error("This file is only to be used in an iframe sandbox.");
+      }
+      if (!document.referrer) {
+        throw new Error("No referrer, cannot validate embedding site.");
+      }
+      if (!document.referrer.match(/^http:\/\/(localhost|127\.0\.0\.1)(:|\/|$)/)) {
+        throw new Error(`Embedding domain not allowed in referrer ${document.referrer} (update the validation logic to allow your domain)`);
+      }
+
+      // Try to break out of iframe (security test)
+      try {
+        window.top.alert("If you see this, the sandbox is not setup securely.");
+        throw new Error("Managed to break out of iframe, the sandbox is not setup securely.");
+      } catch (e) {
+        // Expected to fail
+      }
+
+      const inner = document.createElement('iframe');
+      inner.style = 'width:100%; height:100%; border:none;';
+      // sandbox will be set from postMessage payload; default minimal before html arrives
+      // Use allow-same-origin for document.write to work
+      inner.setAttribute('sandbox', 'allow-scripts allow-same-origin');
+      document.body.appendChild(inner);
+
+      // Build iframe allow attribute from permissions
+      function buildAllowAttribute(permissions) {
+        if (!permissions) return '';
+        const allowList = [];
+        if (permissions.camera) allowList.push('camera');
+        if (permissions.microphone) allowList.push('microphone');
+        if (permissions.geolocation) allowList.push('geolocation');
+        return allowList.join('; ');
+      }
+
+      window.addEventListener('message', async (event) => {
+        if (event.source === window.parent) {
+          if (event.data && event.data.method === 'ui/notifications/sandbox-resource-ready') {
+            const { html, sandbox, permissions } = event.data.params || {};
+            // Note: csp is not extracted here - CSP is set via HTTP response headers in serve.ts
+            if (typeof sandbox === 'string') {
+              // Ensure allow-same-origin is present for document.write to work
+              let finalSandbox = sandbox;
+              if (!finalSandbox.includes('allow-same-origin')) {
+                finalSandbox = finalSandbox + ' allow-same-origin';
+              }
+              inner.setAttribute('sandbox', finalSandbox);
+            }
+            // Set Permission Policy allow attribute if permissions are provided
+            const allowAttribute = buildAllowAttribute(permissions);
+            if (allowAttribute) {
+              inner.setAttribute('allow', allowAttribute);
+            }
+            if (typeof html === 'string') {
+              // Use document.write instead of srcdoc to avoid CSP base-uri issues
+              // document.write allows the browser to resolve relative URLs correctly
+              // Match the pattern from mcp-ui proxy script (https://github.com/MCP-UI-Org/mcp-ui/pull/140)
+              // This is the main change to support the double iframe exactly the same way as ChatGPT
+              // The iframe is rendered first (created at page load), then we write when HTML arrives
+              try {
+                if (inner.contentDocument) {
+                  inner.contentDocument.open();
+                  inner.contentDocument.write(html);
+                  inner.contentDocument.close();
+                } else {
+                  // Fallback to srcdoc if contentDocument is not accessible
+                  inner.srcdoc = html;
+                }
+              } catch (e) {
+                console.error('Failed to write HTML to iframe:', e);
+                // Fallback to srcdoc if document.write fails
+                inner.srcdoc = html;
+              }
+            }
+          } else {
+            if (inner && inner.contentWindow) {
+              inner.contentWindow.postMessage(event.data, '*');
+            }
+          }
+        } else if (event.source === inner.contentWindow) {
+          // Relay messages from inner to parent
+          window.parent.postMessage(event.data, '*');
+        }
+      });
+
+      // Notify parent that proxy is ready to receive HTML
+      window.parent.postMessage({
+        jsonrpc: '2.0',
+        method: 'ui/notifications/sandbox-proxy-ready',
+        params: {}
+      }, '*');
+    </script>
+  </body>
+</html>
diff --git a/examples/system-monitor-server/package.json b/examples/system-monitor-server/package.json
index 6adfbb91..485df6f5 100644
--- a/examples/system-monitor-server/package.json
+++ b/examples/system-monitor-server/package.json
@@ -26,6 +26,7 @@
     "@types/node": "^22.0.0",
     "concurrently": "^9.2.1",
     "cors": "^2.8.5",
+    "cross-env": "^10.1.0",
     "express": "^5.1.0",
     "typescript": "^5.9.3",
     "vite": "^6.0.0",
diff --git a/examples/threejs-server/package.json b/examples/threejs-server/package.json
index bdc00f55..e88463a8 100644
--- a/examples/threejs-server/package.json
+++ b/examples/threejs-server/package.json
@@ -31,6 +31,7 @@
     "@vitejs/plugin-react": "^4.3.4",
     "concurrently": "^9.2.1",
     "cors": "^2.8.5",
+    "cross-env": "^10.1.0",
     "express": "^5.1.0",
     "typescript": "^5.9.3",
     "vite": "^6.0.0",
diff --git a/examples/wiki-explorer-server/package.json b/examples/wiki-explorer-server/package.json
index 5c389c31..daef0e9f 100644
--- a/examples/wiki-explorer-server/package.json
+++ b/examples/wiki-explorer-server/package.json
@@ -25,6 +25,7 @@
     "@types/node": "^22.0.0",
     "concurrently": "^9.2.1",
     "cors": "^2.8.5",
+    "cross-env": "^10.1.0",
     "express": "^5.1.0",
     "force-graph": "^1.49.0",
     "typescript": "^5.9.3",
diff --git a/package-lock.json b/package-lock.json
index 2a1bf159..2a5b60ad 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -85,6 +85,7 @@
         "@vitejs/plugin-react": "^4.3.4",
         "concurrently": "^9.2.1",
         "cors": "^2.8.5",
+        "cross-env": "^10.1.0",
         "express": "^5.1.0",
         "prettier": "^3.6.2",
         "typescript": "^5.9.3",
@@ -128,6 +129,7 @@
         "@vitejs/plugin-react": "^4.3.4",
         "concurrently": "^9.2.1",
         "cors": "^2.8.5",
+        "cross-env": "^10.1.0",
         "express": "^5.1.0",
         "typescript": "^5.9.3",
         "vite": "^6.0.0",
@@ -164,6 +166,7 @@
         "@types/node": "^22.0.0",
         "concurrently": "^9.2.1",
         "cors": "^2.8.5",
+        "cross-env": "^10.1.0",
         "express": "^5.1.0",
         "typescript": "^5.9.3",
         "vite": "^6.0.0",
@@ -201,6 +204,7 @@
         "@types/node": "^22.0.0",
         "concurrently": "^9.2.1",
         "cors": "^2.8.5",
+        "cross-env": "^10.1.0",
         "express": "^5.1.0",
         "typescript": "^5.9.3",
         "vite": "^6.0.0",
@@ -242,6 +246,7 @@
         "@vitejs/plugin-react": "^4.3.4",
         "concurrently": "^9.2.1",
         "cors": "^2.8.5",
+        "cross-env": "^10.1.0",
         "express": "^5.1.0",
         "typescript": "^5.9.3",
         "vite": "^6.0.0",
@@ -279,6 +284,7 @@
         "@types/node": "^22.0.0",
         "concurrently": "^9.2.1",
         "cors": "^2.8.5",
+        "cross-env": "^10.1.0",
         "express": "^5.1.0",
         "typescript": "^5.9.3",
         "vite": "^6.0.0",
@@ -321,6 +327,7 @@
         "@vitejs/plugin-react": "^4.3.4",
         "concurrently": "^9.2.1",
         "cors": "^2.8.5",
+        "cross-env": "^10.1.0",
         "express": "^5.1.0",
         "typescript": "^5.9.3",
         "vite": "^6.0.0",
@@ -359,6 +366,7 @@
         "@types/node": "^22.0.0",
         "concurrently": "^9.2.1",
         "cors": "^2.8.5",
+        "cross-env": "^10.1.0",
         "express": "^5.1.0",
         "typescript": "^5.9.3",
         "vite": "^6.0.0",
@@ -402,6 +410,7 @@
         "@vitejs/plugin-react": "^4.3.4",
         "concurrently": "^9.2.1",
         "cors": "^2.8.5",
+        "cross-env": "^10.1.0",
         "express": "^5.1.0",
         "typescript": "^5.9.3",
         "vite": "^6.0.0",
@@ -439,6 +448,7 @@
         "@types/node": "^22.0.0",
         "concurrently": "^9.2.1",
         "cors": "^2.8.5",
+        "cross-env": "^10.1.0",
         "express": "^5.1.0",
         "force-graph": "^1.49.0",
         "typescript": "^5.9.3",
@@ -492,7 +502,6 @@
       "integrity": "sha512-e7jT4DxYvIDLk1ZHmU/m/mB19rex9sv0c2ftBtjSBv+kVM/902eh0fINUzD7UwLLNR+jU585GxUJ8/EBfAM5fw==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@babel/code-frame": "^7.27.1",
         "@babel/generator": "^7.28.5",
@@ -2098,7 +2107,6 @@
       "integrity": "sha512-GNWcUTRBgIRJD5zj+Tq0fKOJ5XZajIiBroOF0yvj2bSU1WvNdYS/dn9UxwsujGW4JX06dnHyjV2y9rRaybH0iQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "undici-types": "~7.16.0"
       }
@@ -2123,7 +2131,6 @@
       "integrity": "sha512-MWtvHrGZLFttgeEj28VXHxpmwYbor/ATPYbBfSFZEIRK0ecCFLl2Qo55z52Hss+UV9CRN7trSeq1zbgx7YDWWg==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "csstype": "^3.2.2"
       }
@@ -2624,7 +2631,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "baseline-browser-mapping": "^2.9.0",
         "caniuse-lite": "^1.0.30001759",
@@ -3340,7 +3346,6 @@
       "integrity": "sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ==",
       "dev": true,
       "license": "ISC",
-      "peer": true,
       "engines": {
         "node": ">=12"
       }
@@ -3788,7 +3793,6 @@
       "resolved": "https://registry.npmjs.org/express/-/express-5.2.1.tgz",
       "integrity": "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "accepts": "^2.0.0",
         "body-parser": "^2.2.1",
@@ -5321,7 +5325,6 @@
       "resolved": "https://registry.npmjs.org/react/-/react-19.2.1.tgz",
       "integrity": "sha512-DGrYcCWK7tvYMnWh79yrPHt+vdx9tY+1gPZa7nJQtO/p8bLTDaHp4dzwEhQB7pZ4Xe3ok4XKuEPrVuc+wlpkmw==",
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=0.10.0"
       }
@@ -5420,7 +5423,6 @@
       "integrity": "sha512-w8GmOxZfBmKknvdXU1sdM9NHcoQejwF/4mNgj2JuEEdRaHwwF12K7e9eXn1nLZ07ad+du76mkVsyeb2rKGllsA==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@types/estree": "1.0.8"
       },
@@ -6191,7 +6193,6 @@
       "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -6941,7 +6942,6 @@
       "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
       "dev": true,
       "license": "Apache-2.0",
-      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -7035,7 +7035,6 @@
       "integrity": "sha512-+Oxm7q9hDoLMyJOYfUYBuHQo+dkAloi33apOPP56pzj+vsdJDzr+j1NISE5pyaAuKL4A3UD34qd0lx5+kfKp2g==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "esbuild": "^0.25.0",
         "fdir": "^6.4.4",
@@ -7169,7 +7168,6 @@
       "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -7422,7 +7420,6 @@
       "integrity": "sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==",
       "dev": true,
       "license": "ISC",
-      "peer": true,
       "bin": {
         "yaml": "bin.mjs"
       },
@@ -7467,7 +7464,6 @@
       "resolved": "https://registry.npmjs.org/zod/-/zod-4.2.1.tgz",
       "integrity": "sha512-0wZ1IRqGGhMP76gLqz8EyfBXKk0J2qo2+H3fi4mcUP/KtTocoX08nmIAHl1Z2kJIZbZee8KOpBCSNPRgauucjw==",
       "license": "MIT",
-      "peer": true,
       "funding": {
         "url": "https://github.com/sponsors/colinhacks"
       }
diff --git a/specification/draft/apps.mdx b/specification/draft/apps.mdx
index 6e33f813..c43881f2 100644
--- a/specification/draft/apps.mdx
+++ b/specification/draft/apps.mdx
@@ -138,6 +138,53 @@ interface UIResourceMeta {
      * ["https://cdn.jsdelivr.net", "https://*.cloudflare.com"]
      */
     resourceDomains?: string[],
+    /**
+     * Origins for nested iframes
+     *
+     * - Empty or omitted = no nested iframes allowed (`frame-src 'none'`)
+     * - Maps to CSP `frame-src` directive
+     *
+     * @example
+     * ["https://www.youtube.com", "https://player.vimeo.com"]
+     */
+    frameDomains?: string[],
+    /**
+     * Allowed base URIs for the document
+     *
+     * - Empty or omitted = only same origin allowed (`base-uri 'self'`)
+     * - Maps to CSP `base-uri` directive
+     *
+     * @example
+     * ["https://cdn.example.com"]
+     */
+    baseUriDomains?: string[],
+  },
+  /**
+   * Sandbox permissions requested by the UI
+   *
+   * Servers declare which browser capabilities their UI needs.
+   * Hosts MAY honor these by setting appropriate iframe `allow` attributes.
+   * Apps SHOULD NOT assume permissions are granted; use JS feature detection as fallback.
+   */
+  permissions?: {
+    /**
+     * Request camera access
+     *
+     * Maps to Permission Policy `camera` feature
+     */
+    camera?: boolean,
+    /**
+     * Request microphone access
+     *
+     * Maps to Permission Policy `microphone` feature
+     */
+    microphone?: boolean,
+    /**
+     * Request geolocation access
+     *
+     * Maps to Permission Policy `geolocation` feature
+     */
+    geolocation?: boolean,
   },
   /**
    * Dedicated origin for widget
@@ -180,6 +227,13 @@ The resource content is returned via `resources/read`:
         csp?: {
           connectDomains?: string[];  // Origins for fetch/XHR/WebSocket
           resourceDomains?: string[]; // Origins for images, scripts, etc
+          frameDomains?: string[];    // Origins for nested iframes
+          baseUriDomains?: string[];  // Allowed base URIs
+        };
+        permissions?: {
+          camera?: boolean;           // Request camera access
+          microphone?: boolean;       // Request microphone access
+          geolocation?: boolean;      // Request geolocation access
         };
         domain?: string;
         prefersBorder?: boolean;
@@ -404,9 +458,11 @@ If the Host is a web page, it MUST wrap the Guest UI and communicate with it thr
 4. Once the Sandbox is ready, the Host MUST send the raw HTML resource to load in a `ui/notifications/sandbox-resource-ready` notification.
 5. The Sandbox MUST load the raw HTML of the Guest UI with CSP settings that:
    - Enforce the domains declared in `ui.csp` metadata
-   - Prevent nested iframes (`frame-src 'none'`)
-   - Block dangerous features (`object-src 'none'`, `base-uri 'self'`)
+   - If `frameDomains` is provided, allow nested iframes from declared origins; otherwise use `frame-src 'none'`
+   - If `baseUriDomains` is provided, allow base URIs from declared origins; otherwise use `base-uri 'self'`
+   - Block dangerous features (`object-src 'none'`)
    - Apply restrictive defaults if no CSP metadata is provided
+   - If `permissions` is declared, the Sandbox MAY set the inner iframe's `allow` attribute accordingly
 6. The Sandbox MUST forward messages sent by the Host to the Guest UI, and vice versa, for any method that doesn’t start with `ui/notifications/sandbox-`. This includes lifecycle messages, e.g., `ui/initialize` request & `ui/notifications/initialized` notification both sent by the Guest UI. The Host MUST NOT send any request or notification to the Guest UI before it receives an `initialized` notification.
 7. The Sandbox SHOULD NOT create/send any requests to the Host or to the Guest UI (this would require synthesizing new request ids).
 8. The Host MAY forward any message from the Guest UI (coming via the Sandbox) to the MCP Apps server, for any method that doesn’t start with `ui/`. While the Host SHOULD ensure the Guest UI’s MCP connection is spec-compliant, it MAY decide to block some messages or subject them to further user approval.
@@ -522,6 +578,52 @@ Example:
 }
 ```
 
+### Host Capabilities
+
+`HostCapabilities` are sent to the Guest UI as part of the response to `ui/initialize` (inside `McpUiInitializeResult`).
+They describe the features and capabilities that the Host supports.
+
+```typescript
+interface HostCapabilities {
+  /** Experimental features (structure TBD). */
+  experimental?: {};
+  /** Host supports opening external URLs. */
+  openLinks?: {};
+  /** Host can proxy tool calls to the MCP server. */
+  serverTools?: {
+    /** Host supports tools/list_changed notifications. */
+    listChanged?: boolean;
+  };
+  /** Host can proxy resource reads to the MCP server. */
+  serverResources?: {
+    /** Host supports resources/list_changed notifications. */
+    listChanged?: boolean;
+  };
+  /** Host accepts log messages. */
+  logging?: {};
+  /** Sandbox configuration applied by the host. */
+  sandbox?: {
+    /** Permissions granted by the host (camera, microphone, geolocation). */
+    permissions?: {
+      camera?: boolean;
+      microphone?: boolean;
+      geolocation?: boolean;
+    };
+    /** CSP domains approved by the host. */
+    csp?: {
+      /** Approved origins for network requests (fetch/XHR/WebSocket). */
+      connectDomains?: string[];
+      /** Approved origins for static resources (scripts, images, styles, fonts). */
+      resourceDomains?: string[];
+      /** Approved origins for nested iframes (frame-src directive). */
+      frameDomains?: string[];
+      /** Approved base URIs for the document (base-uri directive). */
+      baseUriDomains?: string[];
+    };
+  };
+}
+```
+
 ### Theming
 
 Hosts can optionally pass CSS custom properties via `HostContext.styles.variables` for visual cohesion with the host environment.
@@ -949,12 +1051,23 @@ These messages are reserved for web-based hosts that implement the recommended d
   method: "ui/notifications/sandbox-resource-ready",
   params: {
     html: string,        // HTML content to load
-    sandbox: string      // Optional override for inner iframe `sandbox` attribute
+    sandbox?: string,    // Optional override for inner iframe `sandbox` attribute
+    csp?: {              // CSP configuration from resource metadata
+      connectDomains?: string[],
+      resourceDomains?: string[],
+      frameDomains?: string[],
+      baseUriDomains?: string[],
+    },
+    permissions?: {      // Sandbox permissions from resource metadata
+      camera?: boolean,
+      microphone?: boolean,
+      geolocation?: boolean,
+    }
   }
 }
 ```
 
-These messages facilitate the communication between the outer sandbox proxy iframe and the host, enabling secure loading of untrusted HTML content.
+These messages facilitate the communication between the outer sandbox proxy iframe and the host, enabling secure loading of untrusted HTML content. The `permissions` field maps to the inner iframe's `allow` attribute for Permission Policy features.
 
 ### Lifecycle
 
@@ -1410,6 +1523,7 @@ Hosts MUST enforce Content Security Policies based on resource metadata.
 
 ```typescript
 const csp = resource._meta?.ui?.csp;
+const permissions = resource._meta?.ui?.permissions;
 
 const cspValue = `
   default-src 'none';
@@ -1419,10 +1533,17 @@ const cspValue = `
   img-src 'self' data: ${csp?.resourceDomains?.join(' ') || ''};
   font-src 'self' ${csp?.resourceDomains?.join(' ') || ''};
   media-src 'self' data: ${csp?.resourceDomains?.join(' ') || ''};
-  frame-src 'none';
+  frame-src ${csp?.frameDomains?.join(' ') || "'none'"};
   object-src 'none';
-  base-uri 'self';
+  base-uri ${csp?.baseUriDomains?.join(' ') || "'self'"};
 `;
+
+// Permission Policy for iframe allow attribute
+const allowList: string[] = [];
+if (permissions?.camera) allowList.push('camera');
+if (permissions?.microphone) allowList.push('microphone');
+if (permissions?.geolocation) allowList.push('geolocation');
+const allowAttribute = allowList.join(' ');
 ```
 
 **Security Requirements:**
diff --git a/src/generated/schema.json b/src/generated/schema.json
index e8359865..ee56ecfc 100644
--- a/src/generated/schema.json
+++ b/src/generated/schema.json
@@ -89,6 +89,67 @@
           "type": "object",
           "properties": {},
           "additionalProperties": false
+        },
+        "sandbox": {
+          "description": "Sandbox configuration applied by the host.",
+          "type": "object",
+          "properties": {
+            "permissions": {
+              "description": "Permissions granted by the host (camera, microphone, geolocation).",
+              "type": "object",
+              "properties": {
+                "camera": {
+                  "description": "Request camera access (Permission Policy `camera` feature).",
+                  "type": "boolean"
+                },
+                "microphone": {
+                  "description": "Request microphone access (Permission Policy `microphone` feature).",
+                  "type": "boolean"
+                },
+                "geolocation": {
+                  "description": "Request geolocation access (Permission Policy `geolocation` feature).",
+                  "type": "boolean"
+                }
+              },
+              "additionalProperties": false
+            },
+            "csp": {
+              "description": "CSP domains approved by the host.",
+              "type": "object",
+              "properties": {
+                "connectDomains": {
+                  "description": "Origins for network requests (fetch/XHR/WebSocket).",
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  }
+                },
+                "resourceDomains": {
+                  "description": "Origins for static resources (scripts, images, styles, fonts).",
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  }
+                },
+                "frameDomains": {
+                  "description": "Origins for nested iframes (frame-src directive).",
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  }
+                },
+                "baseUriDomains": {
+                  "description": "Allowed base URIs for the document (base-uri directive).",
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  }
+                }
+              },
+              "additionalProperties": false
+            }
+          },
+          "additionalProperties": false
         }
       },
       "additionalProperties": false
@@ -1882,6 +1943,67 @@
               "type": "object",
               "properties": {},
               "additionalProperties": false
+            },
+            "sandbox": {
+              "description": "Sandbox configuration applied by the host.",
+              "type": "object",
+              "properties": {
+                "permissions": {
+                  "description": "Permissions granted by the host (camera, microphone, geolocation).",
+                  "type": "object",
+                  "properties": {
+                    "camera": {
+                      "description": "Request camera access (Permission Policy `camera` feature).",
+                      "type": "boolean"
+                    },
+                    "microphone": {
+                      "description": "Request microphone access (Permission Policy `microphone` feature).",
+                      "type": "boolean"
+                    },
+                    "geolocation": {
+                      "description": "Request geolocation access (Permission Policy `geolocation` feature).",
+                      "type": "boolean"
+                    }
+                  },
+                  "additionalProperties": false
+                },
+                "csp": {
+                  "description": "CSP domains approved by the host.",
+                  "type": "object",
+                  "properties": {
+                    "connectDomains": {
+                      "description": "Origins for network requests (fetch/XHR/WebSocket).",
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      }
+                    },
+                    "resourceDomains": {
+                      "description": "Origins for static resources (scripts, images, styles, fonts).",
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      }
+                    },
+                    "frameDomains": {
+                      "description": "Origins for nested iframes (frame-src directive).",
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      }
+                    },
+                    "baseUriDomains": {
+                      "description": "Allowed base URIs for the document (base-uri directive).",
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      }
+                    }
+                  },
+                  "additionalProperties": false
+                }
+              },
+              "additionalProperties": false
             }
           },
           "additionalProperties": false
@@ -2994,6 +3116,20 @@
           "items": {
             "type": "string"
           }
+        },
+        "frameDomains": {
+          "description": "Origins for nested iframes (frame-src directive).",
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "baseUriDomains": {
+          "description": "Allowed base URIs for the document (base-uri directive).",
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
         }
       },
       "additionalProperties": false
@@ -3019,6 +3155,39 @@
               "items": {
                 "type": "string"
               }
+            },
+            "frameDomains": {
+              "description": "Origins for nested iframes (frame-src directive).",
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            },
+            "baseUriDomains": {
+              "description": "Allowed base URIs for the document (base-uri directive).",
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            }
+          },
+          "additionalProperties": false
+        },
+        "permissions": {
+          "description": "Sandbox permissions requested by the UI.",
+          "type": "object",
+          "properties": {
+            "camera": {
+              "description": "Request camera access (Permission Policy `camera` feature).",
+              "type": "boolean"
+            },
+            "microphone": {
+              "description": "Request microphone access (Permission Policy `microphone` feature).",
+              "type": "boolean"
+            },
+            "geolocation": {
+              "description": "Request geolocation access (Permission Policy `geolocation` feature).",
+              "type": "boolean"
             }
           },
           "additionalProperties": false
@@ -3034,6 +3203,25 @@
       },
       "additionalProperties": false
     },
+    "McpUiResourcePermissions": {
+      "$schema": "https://json-schema.org/draft/2020-12/schema",
+      "type": "object",
+      "properties": {
+        "camera": {
+          "description": "Request camera access (Permission Policy `camera` feature).",
+          "type": "boolean"
+        },
+        "microphone": {
+          "description": "Request microphone access (Permission Policy `microphone` feature).",
+          "type": "boolean"
+        },
+        "geolocation": {
+          "description": "Request geolocation access (Permission Policy `geolocation` feature).",
+          "type": "boolean"
+        }
+      },
+      "additionalProperties": false
+    },
     "McpUiResourceTeardownRequest": {
       "$schema": "https://json-schema.org/draft/2020-12/schema",
       "type": "object",
@@ -3112,6 +3300,39 @@
                   "items": {
                     "type": "string"
                   }
+                },
+                "frameDomains": {
+                  "description": "Origins for nested iframes (frame-src directive).",
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  }
+                },
+                "baseUriDomains": {
+                  "description": "Allowed base URIs for the document (base-uri directive).",
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  }
+                }
+              },
+              "additionalProperties": false
+            },
+            "permissions": {
+              "description": "Sandbox permissions from resource metadata.",
+              "type": "object",
+              "properties": {
+                "camera": {
+                  "description": "Request camera access (Permission Policy `camera` feature).",
+                  "type": "boolean"
+                },
+                "microphone": {
+                  "description": "Request microphone access (Permission Policy `microphone` feature).",
+                  "type": "boolean"
+                },
+                "geolocation": {
+                  "description": "Request geolocation access (Permission Policy `geolocation` feature).",
+                  "type": "boolean"
                 }
               },
               "additionalProperties": false
diff --git a/src/generated/schema.test.ts b/src/generated/schema.test.ts
index e9a57981..b2f77fbd 100644
--- a/src/generated/schema.test.ts
+++ b/src/generated/schema.test.ts
@@ -43,8 +43,8 @@ export type McpUiSandboxProxyReadyNotificationSchemaInferredType = z.infer<
   typeof generated.McpUiSandboxProxyReadyNotificationSchema
 >;
 
-export type McpUiSandboxResourceReadyNotificationSchemaInferredType = z.infer<
-  typeof generated.McpUiSandboxResourceReadyNotificationSchema
+export type McpUiResourcePermissionsSchemaInferredType = z.infer<
+  typeof generated.McpUiResourcePermissionsSchema
 >;
 
 export type McpUiSizeChangedNotificationSchemaInferredType = z.infer<
@@ -79,20 +79,20 @@ export type McpUiResourceTeardownResultSchemaInferredType = z.infer<
   typeof generated.McpUiResourceTeardownResultSchema
 >;
 
-export type McpUiHostCapabilitiesSchemaInferredType = z.infer<
-  typeof generated.McpUiHostCapabilitiesSchema
+export type McpUiResourceCspSchemaInferredType = z.infer<
+  typeof generated.McpUiResourceCspSchema
 >;
 
 export type McpUiAppCapabilitiesSchemaInferredType = z.infer<
   typeof generated.McpUiAppCapabilitiesSchema
 >;
 
-export type McpUiInitializedNotificationSchemaInferredType = z.infer<
-  typeof generated.McpUiInitializedNotificationSchema
+export type McpUiHostCapabilitiesSchemaInferredType = z.infer<
+  typeof generated.McpUiHostCapabilitiesSchema
 >;
 
-export type McpUiResourceCspSchemaInferredType = z.infer<
-  typeof generated.McpUiResourceCspSchema
+export type McpUiInitializedNotificationSchemaInferredType = z.infer<
+  typeof generated.McpUiInitializedNotificationSchema
 >;
 
 export type McpUiResourceMetaSchemaInferredType = z.infer<
@@ -119,6 +119,10 @@ export type McpUiMessageRequestSchemaInferredType = z.infer<
   typeof generated.McpUiMessageRequestSchema
 >;
 
+export type McpUiSandboxResourceReadyNotificationSchemaInferredType = z.infer<
+  typeof generated.McpUiSandboxResourceReadyNotificationSchema
+>;
+
 export type McpUiToolResultNotificationSchemaInferredType = z.infer<
   typeof generated.McpUiToolResultNotificationSchema
 >;
@@ -171,11 +175,11 @@ expectType<spec.McpUiSandboxProxyReadyNotification>(
 expectType<McpUiSandboxProxyReadyNotificationSchemaInferredType>(
   {} as spec.McpUiSandboxProxyReadyNotification,
 );
-expectType<spec.McpUiSandboxResourceReadyNotification>(
-  {} as McpUiSandboxResourceReadyNotificationSchemaInferredType,
+expectType<spec.McpUiResourcePermissions>(
+  {} as McpUiResourcePermissionsSchemaInferredType,
 );
-expectType<McpUiSandboxResourceReadyNotificationSchemaInferredType>(
-  {} as spec.McpUiSandboxResourceReadyNotification,
+expectType<McpUiResourcePermissionsSchemaInferredType>(
+  {} as spec.McpUiResourcePermissions,
 );
 expectType<spec.McpUiSizeChangedNotification>(
   {} as McpUiSizeChangedNotificationSchemaInferredType,
@@ -217,26 +221,26 @@ expectType<spec.McpUiResourceTeardownResult>(
 expectType<McpUiResourceTeardownResultSchemaInferredType>(
   {} as spec.McpUiResourceTeardownResult,
 );
-expectType<spec.McpUiHostCapabilities>(
-  {} as McpUiHostCapabilitiesSchemaInferredType,
-);
-expectType<McpUiHostCapabilitiesSchemaInferredType>(
-  {} as spec.McpUiHostCapabilities,
-);
+expectType<spec.McpUiResourceCsp>({} as McpUiResourceCspSchemaInferredType);
+expectType<McpUiResourceCspSchemaInferredType>({} as spec.McpUiResourceCsp);
 expectType<spec.McpUiAppCapabilities>(
   {} as McpUiAppCapabilitiesSchemaInferredType,
 );
 expectType<McpUiAppCapabilitiesSchemaInferredType>(
   {} as spec.McpUiAppCapabilities,
 );
+expectType<spec.McpUiHostCapabilities>(
+  {} as McpUiHostCapabilitiesSchemaInferredType,
+);
+expectType<McpUiHostCapabilitiesSchemaInferredType>(
+  {} as spec.McpUiHostCapabilities,
+);
 expectType<spec.McpUiInitializedNotification>(
   {} as McpUiInitializedNotificationSchemaInferredType,
 );
 expectType<McpUiInitializedNotificationSchemaInferredType>(
   {} as spec.McpUiInitializedNotification,
 );
-expectType<spec.McpUiResourceCsp>({} as McpUiResourceCspSchemaInferredType);
-expectType<McpUiResourceCspSchemaInferredType>({} as spec.McpUiResourceCsp);
 expectType<spec.McpUiResourceMeta>({} as McpUiResourceMetaSchemaInferredType);
 expectType<McpUiResourceMetaSchemaInferredType>({} as spec.McpUiResourceMeta);
 expectType<spec.McpUiRequestDisplayModeRequest>(
@@ -265,6 +269,12 @@ expectType<spec.McpUiMessageRequest>(
 expectType<McpUiMessageRequestSchemaInferredType>(
   {} as spec.McpUiMessageRequest,
 );
+expectType<spec.McpUiSandboxResourceReadyNotification>(
+  {} as McpUiSandboxResourceReadyNotificationSchemaInferredType,
+);
+expectType<McpUiSandboxResourceReadyNotificationSchemaInferredType>(
+  {} as spec.McpUiSandboxResourceReadyNotification,
+);
 expectType<spec.McpUiToolResultNotification>(
   {} as McpUiToolResultNotificationSchemaInferredType,
 );
diff --git a/src/generated/schema.ts b/src/generated/schema.ts
index 9e6120a5..85ecd91e 100644
--- a/src/generated/schema.ts
+++ b/src/generated/schema.ts
@@ -185,39 +185,30 @@ export const McpUiSandboxProxyReadyNotificationSchema = z.object({
 });
 
 /**
- * @description Notification containing HTML resource for the sandbox proxy to load.
- * @internal
- * @see https://github.com/modelcontextprotocol/ext-apps/blob/main/specification/draft/apps.mdx#sandbox-proxy
+ * @description Sandbox permissions requested by the UI resource.
+ * Hosts MAY honor these by setting appropriate iframe `allow` attributes.
+ * Apps SHOULD NOT assume permissions are granted; use JS feature detection as fallback.
  */
-export const McpUiSandboxResourceReadyNotificationSchema = z.object({
-  method: z.literal("ui/notifications/sandbox-resource-ready"),
-  params: z.object({
-    /** @description HTML content to load into the inner iframe. */
-    html: z.string().describe("HTML content to load into the inner iframe."),
-    /** @description Optional override for the inner iframe's sandbox attribute. */
-    sandbox: z
-      .string()
-      .optional()
-      .describe("Optional override for the inner iframe's sandbox attribute."),
-    /** @description CSP configuration from resource metadata. */
-    csp: z
-      .object({
-        /** @description Origins for network requests (fetch/XHR/WebSocket). */
-        connectDomains: z
-          .array(z.string())
-          .optional()
-          .describe("Origins for network requests (fetch/XHR/WebSocket)."),
-        /** @description Origins for static resources (scripts, images, styles, fonts). */
-        resourceDomains: z
-          .array(z.string())
-          .optional()
-          .describe(
-            "Origins for static resources (scripts, images, styles, fonts).",
-          ),
-      })
-      .optional()
-      .describe("CSP configuration from resource metadata."),
-  }),
+export const McpUiResourcePermissionsSchema = z.object({
+  /** @description Request camera access (Permission Policy `camera` feature). */
+  camera: z
+    .boolean()
+    .optional()
+    .describe("Request camera access (Permission Policy `camera` feature)."),
+  /** @description Request microphone access (Permission Policy `microphone` feature). */
+  microphone: z
+    .boolean()
+    .optional()
+    .describe(
+      "Request microphone access (Permission Policy `microphone` feature).",
+    ),
+  /** @description Request geolocation access (Permission Policy `geolocation` feature). */
+  geolocation: z
+    .boolean()
+    .optional()
+    .describe(
+      "Request geolocation access (Permission Policy `geolocation` feature).",
+    ),
 });
 
 /**
@@ -333,6 +324,55 @@ export const McpUiResourceTeardownResultSchema = z.record(
   z.unknown(),
 );
 
+/**
+ * @description Content Security Policy configuration for UI resources.
+ */
+export const McpUiResourceCspSchema = z.object({
+  /** @description Origins for network requests (fetch/XHR/WebSocket). */
+  connectDomains: z
+    .array(z.string())
+    .optional()
+    .describe("Origins for network requests (fetch/XHR/WebSocket)."),
+  /** @description Origins for static resources (scripts, images, styles, fonts). */
+  resourceDomains: z
+    .array(z.string())
+    .optional()
+    .describe("Origins for static resources (scripts, images, styles, fonts)."),
+  /** @description Origins for nested iframes (frame-src directive). */
+  frameDomains: z
+    .array(z.string())
+    .optional()
+    .describe("Origins for nested iframes (frame-src directive)."),
+  /** @description Allowed base URIs for the document (base-uri directive). */
+  baseUriDomains: z
+    .array(z.string())
+    .optional()
+    .describe("Allowed base URIs for the document (base-uri directive)."),
+});
+
+/**
+ * @description Capabilities provided by the Guest UI (App).
+ * @see {@link McpUiInitializeRequest} for the initialization request that includes these capabilities
+ */
+export const McpUiAppCapabilitiesSchema = z.object({
+  /** @description Experimental features (structure TBD). */
+  experimental: z
+    .object({})
+    .optional()
+    .describe("Experimental features (structure TBD)."),
+  /** @description App exposes MCP-style tools that the host can call. */
+  tools: z
+    .object({
+      /** @description App supports tools/list_changed notifications. */
+      listChanged: z
+        .boolean()
+        .optional()
+        .describe("App supports tools/list_changed notifications."),
+    })
+    .optional()
+    .describe("App exposes MCP-style tools that the host can call."),
+});
+
 /**
  * @description Capabilities supported by the host application.
  * @see {@link McpUiInitializeResult} for the initialization result that includes these capabilities
@@ -372,29 +412,20 @@ export const McpUiHostCapabilitiesSchema = z.object({
     .describe("Host can proxy resource reads to the MCP server."),
   /** @description Host accepts log messages. */
   logging: z.object({}).optional().describe("Host accepts log messages."),
-});
-
-/**
- * @description Capabilities provided by the Guest UI (App).
- * @see {@link McpUiInitializeRequest} for the initialization request that includes these capabilities
- */
-export const McpUiAppCapabilitiesSchema = z.object({
-  /** @description Experimental features (structure TBD). */
-  experimental: z
-    .object({})
-    .optional()
-    .describe("Experimental features (structure TBD)."),
-  /** @description App exposes MCP-style tools that the host can call. */
-  tools: z
+  /** @description Sandbox configuration applied by the host. */
+  sandbox: z
     .object({
-      /** @description App supports tools/list_changed notifications. */
-      listChanged: z
-        .boolean()
-        .optional()
-        .describe("App supports tools/list_changed notifications."),
+      /** @description Permissions granted by the host (camera, microphone, geolocation). */
+      permissions: McpUiResourcePermissionsSchema.optional().describe(
+        "Permissions granted by the host (camera, microphone, geolocation).",
+      ),
+      /** @description CSP domains approved by the host. */
+      csp: McpUiResourceCspSchema.optional().describe(
+        "CSP domains approved by the host.",
+      ),
     })
     .optional()
-    .describe("App exposes MCP-style tools that the host can call."),
+    .describe("Sandbox configuration applied by the host."),
 });
 
 /**
@@ -406,22 +437,6 @@ export const McpUiInitializedNotificationSchema = z.object({
   params: z.object({}).optional(),
 });
 
-/**
- * @description Content Security Policy configuration for UI resources.
- */
-export const McpUiResourceCspSchema = z.object({
-  /** @description Origins for network requests (fetch/XHR/WebSocket). */
-  connectDomains: z
-    .array(z.string())
-    .optional()
-    .describe("Origins for network requests (fetch/XHR/WebSocket)."),
-  /** @description Origins for static resources (scripts, images, styles, fonts). */
-  resourceDomains: z
-    .array(z.string())
-    .optional()
-    .describe("Origins for static resources (scripts, images, styles, fonts)."),
-});
-
 /**
  * @description UI Resource metadata for security and rendering configuration.
  */
@@ -430,6 +445,10 @@ export const McpUiResourceMetaSchema = z.object({
   csp: McpUiResourceCspSchema.optional().describe(
     "Content Security Policy configuration.",
   ),
+  /** @description Sandbox permissions requested by the UI. */
+  permissions: McpUiResourcePermissionsSchema.optional().describe(
+    "Sandbox permissions requested by the UI.",
+  ),
   /** @description Dedicated origin for widget sandbox. */
   domain: z
     .string()
@@ -520,6 +539,56 @@ export const McpUiMessageRequestSchema = z.object({
   }),
 });
 
+/**
+ * @description Notification containing HTML resource for the sandbox proxy to load.
+ * @internal
+ * @see https://github.com/modelcontextprotocol/ext-apps/blob/main/specification/draft/apps.mdx#sandbox-proxy
+ */
+export const McpUiSandboxResourceReadyNotificationSchema = z.object({
+  method: z.literal("ui/notifications/sandbox-resource-ready"),
+  params: z.object({
+    /** @description HTML content to load into the inner iframe. */
+    html: z.string().describe("HTML content to load into the inner iframe."),
+    /** @description Optional override for the inner iframe's sandbox attribute. */
+    sandbox: z
+      .string()
+      .optional()
+      .describe("Optional override for the inner iframe's sandbox attribute."),
+    /** @description CSP configuration from resource metadata. */
+    csp: z
+      .object({
+        /** @description Origins for network requests (fetch/XHR/WebSocket). */
+        connectDomains: z
+          .array(z.string())
+          .optional()
+          .describe("Origins for network requests (fetch/XHR/WebSocket)."),
+        /** @description Origins for static resources (scripts, images, styles, fonts). */
+        resourceDomains: z
+          .array(z.string())
+          .optional()
+          .describe(
+            "Origins for static resources (scripts, images, styles, fonts).",
+          ),
+        /** @description Origins for nested iframes (frame-src directive). */
+        frameDomains: z
+          .array(z.string())
+          .optional()
+          .describe("Origins for nested iframes (frame-src directive)."),
+        /** @description Allowed base URIs for the document (base-uri directive). */
+        baseUriDomains: z
+          .array(z.string())
+          .optional()
+          .describe("Allowed base URIs for the document (base-uri directive)."),
+      })
+      .optional()
+      .describe("CSP configuration from resource metadata."),
+    /** @description Sandbox permissions from resource metadata. */
+    permissions: McpUiResourcePermissionsSchema.optional().describe(
+      "Sandbox permissions from resource metadata.",
+    ),
+  }),
+});
+
 /**
  * @description Notification containing tool execution result (Host -> Guest UI).
  */
diff --git a/src/spec.types.ts b/src/spec.types.ts
index f97a0a6f..6f1662fe 100644
--- a/src/spec.types.ts
+++ b/src/spec.types.ts
@@ -223,7 +223,13 @@ export interface McpUiSandboxResourceReadyNotification {
       connectDomains?: string[];
       /** @description Origins for static resources (scripts, images, styles, fonts). */
       resourceDomains?: string[];
+      /** @description Origins for nested iframes (frame-src directive). */
+      frameDomains?: string[];
+      /** @description Allowed base URIs for the document (base-uri directive). */
+      baseUriDomains?: string[];
     };
+    /** @description Sandbox permissions from resource metadata. */
+    permissions?: McpUiResourcePermissions;
   };
 }
 
@@ -414,6 +420,13 @@ export interface McpUiHostCapabilities {
   };
   /** @description Host accepts log messages. */
   logging?: {};
+  /** @description Sandbox configuration applied by the host. */
+  sandbox?: {
+    /** @description Permissions granted by the host (camera, microphone, geolocation). */
+    permissions?: McpUiResourcePermissions;
+    /** @description CSP domains approved by the host. */
+    csp?: McpUiResourceCsp;
+  };
 }
 
 /**
@@ -483,6 +496,24 @@ export interface McpUiResourceCsp {
   connectDomains?: string[];
   /** @description Origins for static resources (scripts, images, styles, fonts). */
   resourceDomains?: string[];
+  /** @description Origins for nested iframes (frame-src directive). */
+  frameDomains?: string[];
+  /** @description Allowed base URIs for the document (base-uri directive). */
+  baseUriDomains?: string[];
+}
+
+/**
+ * @description Sandbox permissions requested by the UI resource.
+ * Hosts MAY honor these by setting appropriate iframe `allow` attributes.
+ * Apps SHOULD NOT assume permissions are granted; use JS feature detection as fallback.
+ */
+export interface McpUiResourcePermissions {
+  /** @description Request camera access (Permission Policy `camera` feature). */
+  camera?: boolean;
+  /** @description Request microphone access (Permission Policy `microphone` feature). */
+  microphone?: boolean;
+  /** @description Request geolocation access (Permission Policy `geolocation` feature). */
+  geolocation?: boolean;
 }
 
 /**
@@ -491,6 +522,8 @@ export interface McpUiResourceCsp {
 export interface McpUiResourceMeta {
   /** @description Content Security Policy configuration. */
   csp?: McpUiResourceCsp;
+  /** @description Sandbox permissions requested by the UI. */
+  permissions?: McpUiResourcePermissions;
   /** @description Dedicated origin for widget sandbox. */
   domain?: string;
   /** @description Visual boundary preference - true if UI prefers a visible border. */
diff --git a/src/types.ts b/src/types.ts
index d710ad35..2c3bd6fe 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -39,6 +39,7 @@ export {
   type McpUiInitializeResult,
   type McpUiInitializedNotification,
   type McpUiResourceCsp,
+  type McpUiResourcePermissions,
   type McpUiResourceMeta,
   type McpUiRequestDisplayModeRequest,
   type McpUiRequestDisplayModeResult,
@@ -96,6 +97,7 @@ export {
   McpUiInitializeResultSchema,
   McpUiInitializedNotificationSchema,
   McpUiResourceCspSchema,
+  McpUiResourcePermissionsSchema,
   McpUiResourceMetaSchema,
   McpUiRequestDisplayModeRequestSchema,
   McpUiRequestDisplayModeResultSchema,