starred/servers-modelcontextprotocol
1
0
Fork 0
mirror of https://github.com/modelcontextprotocol/servers.git synced 2026-04-18 08:03:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Open CORS for any origin to allow direct browser connection (#2725)

Browse Source 
* * In src/everything/sse.ts
  - import cors
  - use cors with config allowing any origin + GET/POST
* In src/everything/streamableHttp.ts
  - import cors
    - use cors with config allowing any origin + GET/POST/DELETE, and exposed protocol headers for client to read
* In package.json and package-lock.json
  - add cors as a dependency

* * In package.json and package-lock.json
  - add @types/cors as dev dependency

* Add caution note for CORS origin wildcard usage

Added caution note for using '*' in CORS origin.

* * In streamableHttp.ts
  - remove remove unintentional console log

* * In streamableHttp.ts
  - add comment about why opening cors for all routes

* * In sse.ts
  - add comment about using * with caution in production for cors

* * In sse.ts
  - indent on cors config

---------

Co-authored-by: shaun smith <1936278+evalstate@users.noreply.github.com>
This commit is contained in:
Cliff Hall
2025-09-18 20:28:41 -04:00
committed by GitHub
parent 9280e8fa74
commit f8c05004d0
4 changed files with 34 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/everything/streamableHttp.ts
View File

@@ -3,10 +3,22 @@ import { InMemoryEventStore } from '@modelcontextprotocol/sdk/examples/shared/in
import express, { Request, Response } from "express";
import { createServer } from "./everything.js";
import { randomUUID } from 'node:crypto';
import cors from 'cors';
console.error('Starting Streamable HTTP server...');
const app = express();
app.use(cors({
"origin": "*", // use "*" with caution in production
"methods": "GET,POST,DELETE",
"preflightContinue": false,
"optionsSuccessStatus": 204,
"exposedHeaders": [
'mcp-session-id',
'last-event-id',
'mcp-protocol-version'
]
})); // Enable CORS for all routes so Inspector can connect
const transports: Map<string, StreamableHTTPServerTransport> = new Map<string, StreamableHTTPServerTransport>();
@@ -15,6 +27,7 @@ app.post('/mcp', async (req: Request, res: Response) => {
try {
// Check for existing session ID
const sessionId = req.headers['mcp-session-id'] as string | undefined;
let transport: StreamableHTTPServerTransport;
if (sessionId && transports.has(sessionId)) {