Skip to content

feat: Add CORS configuration for browser-based MCP clients #713

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: Add CORS configuration for browser-based MCP clients #713

wants to merge 1 commit into from
+41 −0

Conversation

jerome3o-anthropic
Copy link
Member

Summary

  • Add CORS middleware to example servers to expose the Mcp-Session-Id header
  • Add documentation for CORS configuration in the README
  • Use minimal CORS settings (only expose required headers and methods)

Problem

Browser-based MCP clients cannot access the Mcp-Session-Id header from initialization responses due to CORS restrictions. Without this header, they cannot establish sessions with MCP servers.

Solution

This PR adds the cors npm package to example servers and configures it to expose the Mcp-Session-Id header via Access-Control-Expose-Headers. The configuration is minimal, only exposing what's necessary for MCP protocol operation.

Changes

  • Add cors import and middleware to:
    • sseAndStreamableHttpCompatibleServer.ts
    • simpleStatelessStreamableHttp.ts
    • jsonResponseStreamableHttp.ts
  • Add CORS configuration section to README explaining when and how to configure CORS for browser clients

Test plan

  • Example servers start successfully with CORS configured
  • Browser-based clients can read the Mcp-Session-Id header from responses
  • CORS headers are properly set on responses

Reported-by: Jerome

@jerome3o-anthropic
feat: Add CORS configuration for browser-based MCP clients
6c23ed6 
- Add cors middleware to example servers with Mcp-Session-Id exposed
- Add CORS documentation section to README
- Configure minimal CORS settings (only expose required headers)

This enables browser-based clients to connect to MCP servers by properly
exposing the Mcp-Session-Id header required for session management.

Reported-by: Jerome
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jerome3o-anthropic