fix: ensure appropriate CORS headers for browser based MCP clients#2307
fix: ensure appropriate CORS headers for browser based MCP clients#2307jappievw wants to merge 1 commit into
Conversation
Signed-off-by: Jasper van Wanrooy <jasper@vanwanrooy.net>
e77d0d2 to
24dfb04
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2307 +/- ##
==========================================
+ Coverage 84.88% 84.93% +0.05%
==========================================
Files 144 144
Lines 21255 21248 -7
==========================================
+ Hits 18043 18048 +5
+ Misses 2132 2126 -6
+ Partials 1080 1074 -6 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
nacx
left a comment
There was a problem hiding this comment.
Thanks! Overall LGTM!
I'm cusious about:
This allows MCP Inspector to connect to an MCP Server exposed by the AI Gateway.
Could you describe what did not work properly? While developing the MCP feature we used the MCP inspector extensively without issues, so I'm wondering what issues you found?
Hritik003
left a comment
There was a problem hiding this comment.
Thanks for pointing it out, I remember facing this issue while trying out the PoC with MCP Route Oauth. Had to exclusively add the CORS policy for the well known HTTP Route, for the inspector to able to able to send requests.
LGTM, one minor comment
| // CORS applies to every MCP route (browser MCP requests are always preflighted). Envoy Gateway orders | ||
| // the cors filter ahead of the auth filters, so a preflight OPTIONS is answered and short-circuited | ||
| // before jwt_authn/ext_authz — the preflight is never authenticated. | ||
| securityPolicySpec.CORS = &egv1a1.CORS{ |
There was a problem hiding this comment.
does performance concern here by not setting egv1a1.CORS.maxAge( maxAge tells the browser how long it can cache the preflight response) ?
Description
This PR ensures that the appropriate CORS headers are included both for the
.well-knownpaths as well as the main MCP route. This allows MCP Inspector to connect to an MCP Server exposed by the AI Gateway.Related Issues/PRs (if applicable)
The CORS headers implemented to support the MCP Inspector were not functioning properly.
For the
.well-known/oauth-protected-resource/mcppath CORS headers were returned, see below:The
access-control-allow-headersandaccess-control-allow-methodsare not needed for the protected resources path.The
OPTIONSpreflight request for the/mcproute returns anHTTP 401due to an authorization error, see response headers below:There are two problems with this response:
Special notes for reviewers (if applicable)
The Envoy SecurityPolicy is now always included to serve the
OPTIONSpreflight requests and include CORS headers.This PR has been created with help from Claude (thank you)