Skip to content

feat: Add CORS configuration for browser-based MCP clients #1059

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: Add CORS configuration for browser-based MCP clients #1059

wants to merge 1 commit into from

Conversation

jerome3o-anthropic
Copy link
Member

Summary

  • Add CORS middleware to streamable HTTP example servers
  • Configure minimal CORS settings to expose Mcp-Session-Id header
  • Add documentation for CORS configuration in the README

Problem

Browser-based MCP clients cannot access the Mcp-Session-Id header from initialization responses due to CORS restrictions. Without this header, they cannot establish sessions with MCP servers.

Solution

This PR adds Starlette's CORSMiddleware to the example servers and configures it to expose the Mcp-Session-Id header via expose_headers. The configuration is minimal, only allowing the HTTP methods required by the MCP protocol (GET, POST, DELETE).

Changes

  • Add CORSMiddleware import and configuration to:
    • examples/servers/simple-streamablehttp/mcp_simple_streamablehttp/server.py
    • examples/servers/simple-streamablehttp-stateless/mcp_simple_streamablehttp_stateless/server.py
  • Add CORS configuration section to README under "Streamable HTTP Transport"

Test plan

  • Example servers start successfully with CORS configured
  • Browser-based clients can read the Mcp-Session-Id header from responses
  • CORS headers are properly set on responses
  • Only GET, POST, and DELETE methods are allowed

Reported-by: Jerome

@jerome3o-anthropic
feat: Add CORS configuration for browser-based MCP clients
7a554e7 
- Add CORSMiddleware to streamable HTTP example servers
- Configure minimal CORS with Mcp-Session-Id exposed
- Add CORS documentation section to README

This enables browser-based clients to connect to MCP servers by properly
exposing the Mcp-Session-Id header required for session management.

Reported-by: Jerome
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jerome3o-anthropic