feat: add CORS support to registry API#711
Merged
domdomegg merged 5 commits intomodelcontextprotocol:mainfrom Oct 27, 2025
Merged
feat: add CORS support to registry API#711domdomegg merged 5 commits intomodelcontextprotocol:mainfrom
domdomegg merged 5 commits intomodelcontextprotocol:mainfrom
Conversation
Add Cross-Origin Resource Sharing (CORS) middleware to enable browser-based clients and web applications to access the registry API. Changes: - Add CORSMiddleware in internal/api/cors.go to handle preflight OPTIONS requests and inject CORS headers into all responses - Integrate CORS middleware into the server middleware stack in internal/api/server.go between TrailingSlashMiddleware and the mux - Add CORS configuration options to internal/config/config.go: - CORS_ENABLED (default: true) to enable/disable CORS - CORS_ALLOWED_ORIGIN (default: *) to configure allowed origins The middleware adds the following headers to all responses: - Access-Control-Allow-Origin - Access-Control-Allow-Methods - Access-Control-Allow-Headers - Access-Control-Expose-Headers - Access-Control-Max-Age This resolves issues where browser-based tools, VS Code extensions, and web applications were unable to query the registry API due to browser security policies blocking cross-origin requests.
domdomegg
requested changes
Oct 26, 2025
Member
domdomegg
left a comment
domdomegg
left a comment
There was a problem hiding this comment.
Thanks, this generally LGTM.
Can we:
- Add tests
- Remove the config option: prefer convention > configuration
Also would have a slight preference to a well-used cors library if there is one in Golang, but happy with this.
Contributor
Author
|
Thanks for the feedback! I've updated the PR to address all the comments: Changes made:
CORS Configuration:
All tests pass with |
Member
|
Thanks! I don't seem to be able to see the changes you mentioned in your most recent comment - are you sure you've pushed them to this branch? |
Replace custom CORS middleware with rs/cors library and remove configuration options in favor of convention over configuration. - Add rs/cors dependency - Remove custom CORS implementation - Remove CORS config options from config.go - Configure CORS with permissive settings for public API - Add CORS tests
Contributor
Author
|
@domdomegg my bad, I updated from |
Swathi-MuraliSrinivasan
pushed a commit
to Swathi-MuraliSrinivasan/paychex-mcp-registry
that referenced
this pull request
Nov 20, 2025
Fixes modelcontextprotocol#710 This PR adds CORS middleware to enable browser-based clients and web applications to access the registry API. ## Changes - Add CORSMiddleware in internal/api/cors.go to handle preflight OPTIONS requests and inject CORS headers - Integrate CORS middleware into the server middleware stack - Add CORS configuration options (CORS_ENABLED and CORS_ALLOWED_ORIGIN) ## Testing - All existing tests pass - Manual testing confirms CORS headers are present in responses - OPTIONS preflight requests now return 204 with proper headers ## Configuration New environment variables: - MCP_REGISTRY_CORS_ENABLED (default: true) - MCP_REGISTRY_CORS_ALLOWED_ORIGIN (default: *)
slimslenderslacks
pushed a commit
to slimslenderslacks/registry
that referenced
this pull request
Dec 18, 2025
Fixes modelcontextprotocol#710 This PR adds CORS middleware to enable browser-based clients and web applications to access the registry API. - Add CORSMiddleware in internal/api/cors.go to handle preflight OPTIONS requests and inject CORS headers - Integrate CORS middleware into the server middleware stack - Add CORS configuration options (CORS_ENABLED and CORS_ALLOWED_ORIGIN) - All existing tests pass - Manual testing confirms CORS headers are present in responses - OPTIONS preflight requests now return 204 with proper headers New environment variables: - MCP_REGISTRY_CORS_ENABLED (default: true) - MCP_REGISTRY_CORS_ALLOWED_ORIGIN (default: *)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #710
This PR adds CORS middleware to enable browser-based clients and web applications to access the registry API.
Changes
Testing
Configuration
New environment variables: