Open CORS for any origin to allow direct browser connection (#2725)

* * In src/everything/sse.ts
  - import cors
  - use cors with config allowing any origin + GET/POST
* In src/everything/streamableHttp.ts
  - import cors
    - use cors with config allowing any origin + GET/POST/DELETE, and exposed protocol headers for client to read
* In package.json and package-lock.json
  - add cors as a dependency

* * In package.json and package-lock.json
  - add @types/cors as dev dependency

* Add caution note for CORS origin wildcard usage

Added caution note for using '*' in CORS origin.

* * In streamableHttp.ts
  - remove remove unintentional console log

* * In streamableHttp.ts
  - add comment about why opening cors for all routes

* * In sse.ts
  - add comment about using * with caution in production for cors

* * In sse.ts
  - indent on cors config

---------

Co-authored-by: shaun smith <1936278+evalstate@users.noreply.github.com>

src/everything/sse.ts

@@ -1,11 +1,17 @@
 import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
 import express from "express";
 import { createServer } from "./everything.js";
+import cors from 'cors';
 
 console.error('Starting SSE server...');
 
 const app = express();
-
+app.use(cors({
+    "origin": "*", // use "*" with caution in production
+    "methods": "GET,POST",
+    "preflightContinue": false,
+    "optionsSuccessStatus": 204,
+})); // Enable CORS for all routes so Inspector can connect
 const transports: Map<string, SSEServerTransport> = new Map<string, SSEServerTransport>();
 
 app.get("/sse", async (req, res) => {