Open CORS for any origin to allow direct browser connection (#2725)

* * In src/everything/sse.ts
  - import cors
  - use cors with config allowing any origin + GET/POST
* In src/everything/streamableHttp.ts
  - import cors
    - use cors with config allowing any origin + GET/POST/DELETE, and exposed protocol headers for client to read
* In package.json and package-lock.json
  - add cors as a dependency

* * In package.json and package-lock.json
  - add @types/cors as dev dependency

* Add caution note for CORS origin wildcard usage

Added caution note for using '*' in CORS origin.

* * In streamableHttp.ts
  - remove remove unintentional console log

* * In streamableHttp.ts
  - add comment about why opening cors for all routes

* * In sse.ts
  - add comment about using * with caution in production for cors

* * In sse.ts
  - indent on cors config

---------

Co-authored-by: shaun smith <1936278+evalstate@users.noreply.github.com>

package-lock.json

@@ -1376,6 +1376,16 @@
         "@types/node": "*"
       }
     },
+    "node_modules/@types/cors": {
+      "version": "2.8.19",
+      "resolved": "https://registry.npmjs.org/@types/cors/-/cors-2.8.19.tgz",
+      "integrity": "sha512-mFNylyeyqN93lfe/9CSxOGREz8cpzAhH+E93xJ4xWQf62V8sQ/24reV2nyzUWM6H6Xji+GGHpkbLe7pVoUEskg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/node": "*"
+      }
+    },
     "node_modules/@types/diff": {
       "version": "5.2.3",
       "resolved": "https://registry.npmjs.org/@types/diff/-/diff-5.2.3.tgz",
@@ -5819,6 +5829,7 @@
       "license": "MIT",
       "dependencies": {
         "@modelcontextprotocol/sdk": "^1.18.0",
+        "cors": "^2.8.5",
         "express": "^4.21.1",
         "zod": "^3.23.8",
         "zod-to-json-schema": "^3.23.5"
@@ -5827,6 +5838,7 @@
         "mcp-server-everything": "dist/index.js"
       },
       "devDependencies": {
+        "@types/cors": "^2.8.19",
         "@types/express": "^5.0.0",
         "shx": "^0.3.4",
         "typescript": "^5.6.2"

src/everything/package.json

@@ -23,11 +23,13 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.18.0",
+    "cors": "^2.8.5",
     "express": "^4.21.1",
     "zod": "^3.23.8",
     "zod-to-json-schema": "^3.23.5"
   },
   "devDependencies": {
+    "@types/cors": "^2.8.19",
     "@types/express": "^5.0.0",
     "shx": "^0.3.4",
     "typescript": "^5.6.2"

src/everything/sse.ts

@@ -1,11 +1,17 @@
 import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
 import express from "express";
 import { createServer } from "./everything.js";
+import cors from 'cors';
 
 console.error('Starting SSE server...');
 
 const app = express();
-
+app.use(cors({
+    "origin": "*", // use "*" with caution in production
+    "methods": "GET,POST",
+    "preflightContinue": false,
+    "optionsSuccessStatus": 204,
+})); // Enable CORS for all routes so Inspector can connect
 const transports: Map<string, SSEServerTransport> = new Map<string, SSEServerTransport>();
 
 app.get("/sse", async (req, res) => {

src/everything/streamableHttp.ts

@@ -3,10 +3,22 @@ import { InMemoryEventStore } from '@modelcontextprotocol/sdk/examples/shared/in
 import express, { Request, Response } from "express";
 import { createServer } from "./everything.js";
 import { randomUUID } from 'node:crypto';
+import cors from 'cors';
 
 console.error('Starting Streamable HTTP server...');
 
 const app = express();
+app.use(cors({
+    "origin": "*", // use "*" with caution in production
+    "methods": "GET,POST,DELETE",
+    "preflightContinue": false,
+    "optionsSuccessStatus": 204,
+    "exposedHeaders": [
+        'mcp-session-id',
+        'last-event-id',
+        'mcp-protocol-version'
+    ]
+})); // Enable CORS for all routes so Inspector can connect
 
 const transports: Map<string, StreamableHTTPServerTransport> = new Map<string, StreamableHTTPServerTransport>();
 
@@ -15,6 +27,7 @@ app.post('/mcp', async (req: Request, res: Response) => {
   try {
     // Check for existing session ID
     const sessionId = req.headers['mcp-session-id'] as string | undefined;
+
     let transport: StreamableHTTPServerTransport;
 
     if (sessionId && transports.has(sessionId)) {