From e5d3b2c13596e78cddf5d5528758e7a53d6664a8 Mon Sep 17 00:00:00 2001 From: Koichi ITO Date: Sun, 22 Feb 2026 17:31:55 +0900 Subject: [PATCH] Support CORS and Accept wildcard for browser-based MCP clients ## Summary When using browser-based MCP clients such as MCP Inspector, connections to the example HTTP server failed due to two issues: 1. CORS preflight (OPTIONS) requests returned 405 Method Not Allowed, causing browsers to block all cross-origin requests. 2. `Accept: */*` (commonly sent by browsers and fetch API) returned 406 Not Acceptable because the transport required the Accept header to explicitly list `application/json` and `text/event-stream`. Add `rack-cors` middleware to the example HTTP servers so that preflight requests are handled correctly and `Mcp-Session-Id` is exposed to browser clients. Also fix `validate_accept_header` in `StreamableHTTPTransport` to treat `*/*` as satisfying all required Accept types. Fixes #141. ## Repro Steps ### 1. Start the example server (Terminal 1) ```console $ bundle exec ruby examples/streamable_http_server.rb ``` ### 2. Start MCP Inspector (Terminal 2) ```console $ npx @modelcontextprotocol/inspector ``` ### 3. Open the Inspector Web UI (http://localhost:6274) in a browser - Set Transport Type to "Streamable HTTP" - Set URL to http://localhost:9393 - Disable the Authorization header toggle (the example server does not require authentication) - Click "Connect" Before this change, the connection fails due to CORS or 406 errors. After this change, the connection succeeds and tools are listed. These steps have been added to examples/README.md. --- Gemfile | 1 + examples/README.md | 25 ++++++++++++ examples/http_server.rb | 15 +++++++ examples/streamable_http_server.rb | 15 +++++++ .../transports/streamable_http_transport.rb | 2 + .../streamable_http_transport_test.rb | 39 +++++++++++++++++++ 6 files changed, 97 insertions(+) diff --git a/Gemfile b/Gemfile index fa2d2b89..5166516d 100644 --- a/Gemfile +++ b/Gemfile @@ -11,6 +11,7 @@ gem "rubocop-rake", require: false gem "rubocop-shopify", ">= 2.18", require: false if RUBY_VERSION >= "3.1" gem "puma", ">= 5.0.0" +gem "rack-cors" gem "rackup", ">= 2.1.0" gem "activesupport" diff --git a/examples/README.md b/examples/README.md index 17de63bf..99aa6a69 100644 --- a/examples/README.md +++ b/examples/README.md @@ -121,6 +121,31 @@ The client will: - Provide an interactive menu to trigger notifications - Display all received SSE events in real-time +### Testing with MCP Inspector + +[MCP Inspector](https://modelcontextprotocol.io/docs/tools/inspector) is a browser-based tool for testing and debugging MCP servers. + +1. Start the server: + +```console +$ ruby examples/streamable_http_server.rb +``` + +2. Start Inspector in another terminal: + +```console +$ npx @modelcontextprotocol/inspector +``` + +3. Open `http://localhost:6274` in a browser: + +- Set Transport Type to "Streamable HTTP" +- Set URL to `http://localhost:9393` +- Disable the Authorization header toggle (the example server does not require authentication) +- Click "Connect" + +Once connected, you can list tools, call them, and see SSE notifications in the Inspector UI. + ### Testing SSE with cURL You can also test SSE functionality manually using cURL: diff --git a/examples/http_server.rb b/examples/http_server.rb index df4189ca..7c0e760c 100644 --- a/examples/http_server.rb +++ b/examples/http_server.rb @@ -2,6 +2,7 @@ $LOAD_PATH.unshift(File.expand_path("../lib", __dir__)) require "mcp" +require "rack/cors" require "rackup" require "json" require "logger" @@ -142,6 +143,20 @@ def template(args, server_context:) # Wrap the app with Rack middleware rack_app = Rack::Builder.new do + # Enable CORS to allow browser-based MCP clients (e.g., MCP Inspector) + # WARNING: origins("*") allows all origins. Restrict this in production. + use(Rack::Cors) do + allow do + origins("*") + resource( + "*", + headers: :any, + methods: [:get, :post, :delete, :options], + expose: ["Mcp-Session-Id"], + ) + end + end + # Use CommonLogger for standard HTTP request logging use(Rack::CommonLogger, Logger.new($stdout)) diff --git a/examples/streamable_http_server.rb b/examples/streamable_http_server.rb index 4664f194..a7857f63 100644 --- a/examples/streamable_http_server.rb +++ b/examples/streamable_http_server.rb @@ -2,6 +2,7 @@ $LOAD_PATH.unshift(File.expand_path("../lib", __dir__)) require "mcp" +require "rack/cors" require "rackup" require "json" require "logger" @@ -129,6 +130,20 @@ def call(message:, delay: 0) # Build the Rack application with middleware rack_app = Rack::Builder.new do + # Enable CORS to allow browser-based MCP clients (e.g., MCP Inspector) + # WARNING: origins("*") allows all origins. Restrict this in production. + use(Rack::Cors) do + allow do + origins("*") + resource( + "*", + headers: :any, + methods: [:get, :post, :delete, :options], + expose: ["Mcp-Session-Id"], + ) + end + end + use(Rack::CommonLogger, Logger.new($stdout)) use(Rack::ShowExceptions) run(app) diff --git a/lib/mcp/server/transports/streamable_http_transport.rb b/lib/mcp/server/transports/streamable_http_transport.rb index ff9977d9..d9cd4706 100644 --- a/lib/mcp/server/transports/streamable_http_transport.rb +++ b/lib/mcp/server/transports/streamable_http_transport.rb @@ -193,6 +193,8 @@ def validate_accept_header(request, required_types) return not_acceptable_response(required_types) unless accept_header accepted_types = parse_accept_header(accept_header) + return if accepted_types.include?("*/*") + missing_types = required_types - accepted_types return not_acceptable_response(required_types) unless missing_types.empty? diff --git a/test/mcp/server/transports/streamable_http_transport_test.rb b/test/mcp/server/transports/streamable_http_transport_test.rb index 56f08939..7066e4d3 100644 --- a/test/mcp/server/transports/streamable_http_transport_test.rb +++ b/test/mcp/server/transports/streamable_http_transport_test.rb @@ -855,6 +855,21 @@ class StreamableHTTPTransportTest < ActiveSupport::TestCase assert_equal 200, response[0] end + test "POST request with Accept: */* succeeds" do + request = create_rack_request_without_accept( + "POST", + "/", + { + "CONTENT_TYPE" => "application/json", + "HTTP_ACCEPT" => "*/*", + }, + { jsonrpc: "2.0", method: "initialize", id: "123" }.to_json, + ) + + response = @transport.handle_request(request) + assert_equal 200, response[0] + end + test "GET request without Accept header returns 406" do init_request = create_rack_request( "POST", @@ -928,6 +943,30 @@ class StreamableHTTPTransportTest < ActiveSupport::TestCase assert_equal "text/event-stream", response[1]["Content-Type"] end + test "GET request with Accept: */* succeeds" do + init_request = create_rack_request( + "POST", + "/", + { "CONTENT_TYPE" => "application/json" }, + { jsonrpc: "2.0", method: "initialize", id: "123" }.to_json, + ) + init_response = @transport.handle_request(init_request) + session_id = init_response[1]["Mcp-Session-Id"] + + request = create_rack_request_without_accept( + "GET", + "/", + { + "HTTP_MCP_SESSION_ID" => session_id, + "HTTP_ACCEPT" => "*/*", + }, + ) + + response = @transport.handle_request(request) + assert_equal 200, response[0] + assert_equal "text/event-stream", response[1]["Content-Type"] + end + test "stateless mode allows requests without session IDs, responding with no session ID" do stateless_transport = StreamableHTTPTransport.new(@server, stateless: true)