Skip to content

Update readme file to include a tip to allow mcp-session-id in CORS when using StreamableHTTP #633

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Jun 25, 2025
Merged

Update readme file to include a tip to allow mcp-session-id in CORS when using StreamableHTTP #633

merged 11 commits into from
Jun 25, 2025
+15 −0

Conversation

Achintha444
Copy link
Contributor

Motivation and Context

I think this should be included in the main README, as it’s a unique case and developers might waste a lot of time trying to solve this small issue.

How Has This Been Tested?

N/A

Breaking Changes

N/A

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context
@Achintha444 Achintha444 mentioned this pull request Jun 16, 2025
Closed
ihrpr
ihrpr requested changes Jun 25, 2025
View reviewed changes
Copy link
Contributor

@ihrpr ihrpr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for contributing to Typescript SDK!

While the CORS issue is real and documented guidance is needed, the current example has security concerns. The example uses origin: '*' which is unsafe for production.
Please could you update to use a secure CORS example with specific origins instead of wildcard
@Achintha444
Copy link
Contributor Author

Thank you for contributing to Typescript SDK!

While the CORS issue is real and documented guidance is needed, the current example has security concerns. The example uses origin: '*' which is unsafe for production. Please could you update to use a secure CORS example with specific origins instead of wildcard

Thank you for pointing that out. I completely understand your point. I added that as a quick example, but you're right about the security risks. I'll update it to use a more secure CORS configuration with specific origins instead of a wildcard.
@Achintha444
Copy link
Contributor Author

Thank you for contributing to Typescript SDK!

While the CORS issue is real and documented guidance is needed, the current example has security concerns. The example uses origin: '*' which is unsafe for production. Please could you update to use a secure CORS example with specific origins instead of wildcard

PR updated
@Achintha444 Achintha444 requested a review from ihrpr June 25, 2025 15:35
ihrpr
ihrpr approved these changes Jun 25, 2025
View reviewed changes
Copy link
Contributor

@ihrpr ihrpr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!
@ihrpr ihrpr merged commit 909fe5d into modelcontextprotocol:main Jun 25, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants
@Achintha444 @ihrpr