Open CORS for any origin to allow direct browser connection (#2725)

* * In src/everything/sse.ts
  - import cors
  - use cors with config allowing any origin + GET/POST
* In src/everything/streamableHttp.ts
  - import cors
    - use cors with config allowing any origin + GET/POST/DELETE, and exposed protocol headers for client to read
* In package.json and package-lock.json
  - add cors as a dependency

* * In package.json and package-lock.json
  - add @types/cors as dev dependency

* Add caution note for CORS origin wildcard usage

Added caution note for using '*' in CORS origin.

* * In streamableHttp.ts
  - remove remove unintentional console log

* * In streamableHttp.ts
  - add comment about why opening cors for all routes

* * In sse.ts
  - add comment about using * with caution in production for cors

* * In sse.ts
  - indent on cors config

---------

Co-authored-by: shaun smith <1936278+evalstate@users.noreply.github.com>

package-lock.json

@@ -1376,6 +1376,16 @@
         "@types/node": "*"
       }
     },
+    "node_modules/@types/cors": {
+      "version": "2.8.19",
+      "resolved": "https://registry.npmjs.org/@types/cors/-/cors-2.8.19.tgz",
+      "integrity": "sha512-mFNylyeyqN93lfe/9CSxOGREz8cpzAhH+E93xJ4xWQf62V8sQ/24reV2nyzUWM6H6Xji+GGHpkbLe7pVoUEskg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/node": "*"
+      }
+    },
     "node_modules/@types/diff": {
       "version": "5.2.3",
       "resolved": "https://registry.npmjs.org/@types/diff/-/diff-5.2.3.tgz",
@@ -5819,6 +5829,7 @@
       "license": "MIT",
       "dependencies": {
         "@modelcontextprotocol/sdk": "^1.18.0",
+        "cors": "^2.8.5",
         "express": "^4.21.1",
         "zod": "^3.23.8",
         "zod-to-json-schema": "^3.23.5"
@@ -5827,6 +5838,7 @@
         "mcp-server-everything": "dist/index.js"
       },
       "devDependencies": {
+        "@types/cors": "^2.8.19",
         "@types/express": "^5.0.0",
         "shx": "^0.3.4",
         "typescript": "^5.6.2"