Merge pull request #253 from koic/support_cors_and_accept_wildcard_for_browser_based_mcp_clients

Support CORS and Accept wildcard for browser-based MCP clients

Author: koic

Gemfile

@@ -11,6 +11,7 @@ gem "rubocop-rake", require: false
 gem "rubocop-shopify", ">= 2.18", require: false if RUBY_VERSION >= "3.1"
 
 gem "puma", ">= 5.0.0"
+gem "rack-cors"
 gem "rackup", ">= 2.1.0"
 
 gem "activesupport"

examples/README.md

@@ -121,6 +121,31 @@ The client will:
 - Provide an interactive menu to trigger notifications
 - Display all received SSE events in real-time
 
+### Testing with MCP Inspector
+
+[MCP Inspector](https://modelcontextprotocol.io/docs/tools/inspector) is a browser-based tool for testing and debugging MCP servers.
+
+1. Start the server:
+
+```console
+$ ruby examples/streamable_http_server.rb
+```
+
+2. Start Inspector in another terminal:
+
+```console
+$ npx @modelcontextprotocol/inspector
+```
+
+3. Open `http://localhost:6274` in a browser:
+
+- Set Transport Type to "Streamable HTTP"
+- Set URL to `http://localhost:9393`
+- Disable the Authorization header toggle (the example server does not require authentication)
+- Click "Connect"
+
+Once connected, you can list tools, call them, and see SSE notifications in the Inspector UI.
+
 ### Testing SSE with cURL
 
 You can also test SSE functionality manually using cURL:

examples/http_server.rb

@@ -2,6 +2,7 @@
 
 $LOAD_PATH.unshift(File.expand_path("../lib", __dir__))
 require "mcp"
+require "rack/cors"
 require "rackup"
 require "json"
 require "logger"
@@ -142,6 +143,20 @@ def template(args, server_context:)
 
 # Wrap the app with Rack middleware
 rack_app = Rack::Builder.new do
+  # Enable CORS to allow browser-based MCP clients (e.g., MCP Inspector)
+  # WARNING: origins("*") allows all origins. Restrict this in production.
+  use(Rack::Cors) do
+    allow do
+      origins("*")
+      resource(
+        "*",
+        headers: :any,
+        methods: [:get, :post, :delete, :options],
+        expose: ["Mcp-Session-Id"],
+      )
+    end
+  end
+
   # Use CommonLogger for standard HTTP request logging
   use(Rack::CommonLogger, Logger.new($stdout))
 

examples/streamable_http_server.rb

@@ -2,6 +2,7 @@
 
 $LOAD_PATH.unshift(File.expand_path("../lib", __dir__))
 require "mcp"
+require "rack/cors"
 require "rackup"
 require "json"
 require "logger"
@@ -129,6 +130,20 @@ def call(message:, delay: 0)
 
 # Build the Rack application with middleware
 rack_app = Rack::Builder.new do
+  # Enable CORS to allow browser-based MCP clients (e.g., MCP Inspector)
+  # WARNING: origins("*") allows all origins. Restrict this in production.
+  use(Rack::Cors) do
+    allow do
+      origins("*")
+      resource(
+        "*",
+        headers: :any,
+        methods: [:get, :post, :delete, :options],
+        expose: ["Mcp-Session-Id"],
+      )
+    end
+  end
+
   use(Rack::CommonLogger, Logger.new($stdout))
   use(Rack::ShowExceptions)
   run(app)

lib/mcp/server/transports/streamable_http_transport.rb

@@ -193,6 +193,8 @@ def validate_accept_header(request, required_types)
           return not_acceptable_response(required_types) unless accept_header
 
           accepted_types = parse_accept_header(accept_header)
+          return if accepted_types.include?("*/*")
+
           missing_types = required_types - accepted_types
           return not_acceptable_response(required_types) unless missing_types.empty?
 

test/mcp/server/transports/streamable_http_transport_test.rb

@@ -855,6 +855,21 @@ class StreamableHTTPTransportTest < ActiveSupport::TestCase
           assert_equal 200, response[0]
         end
 
+        test "POST request with Accept: */* succeeds" do
+          request = create_rack_request_without_accept(
+            "POST",
+            "/",
+            {
+              "CONTENT_TYPE" => "application/json",
+              "HTTP_ACCEPT" => "*/*",
+            },
+            { jsonrpc: "2.0", method: "initialize", id: "123" }.to_json,
+          )
+
+          response = @transport.handle_request(request)
+          assert_equal 200, response[0]
+        end
+
         test "GET request without Accept header returns 406" do
           init_request = create_rack_request(
             "POST",
@@ -928,6 +943,30 @@ class StreamableHTTPTransportTest < ActiveSupport::TestCase
           assert_equal "text/event-stream", response[1]["Content-Type"]
         end
 
+        test "GET request with Accept: */* succeeds" do
+          init_request = create_rack_request(
+            "POST",
+            "/",
+            { "CONTENT_TYPE" => "application/json" },
+            { jsonrpc: "2.0", method: "initialize", id: "123" }.to_json,
+          )
+          init_response = @transport.handle_request(init_request)
+          session_id = init_response[1]["Mcp-Session-Id"]
+
+          request = create_rack_request_without_accept(
+            "GET",
+            "/",
+            {
+              "HTTP_MCP_SESSION_ID" => session_id,
+              "HTTP_ACCEPT" => "*/*",
+            },
+          )
+
+          response = @transport.handle_request(request)
+          assert_equal 200, response[0]
+          assert_equal "text/event-stream", response[1]["Content-Type"]
+        end
+
         test "stateless mode allows requests without session IDs, responding with no session ID" do
           stateless_transport = StreamableHTTPTransport.new(@server, stateless: true)