Describe the bug
Hardcoded Wildcard CORS (Access-Control-Allow-Origin: * ) is the default CORS headers to every response via withCorsHeaders().
Details
Here is the code -
https://github.com/modelcontextprotocol/php-sdk/blob/main/src/Server/Transport/StreamableHttpTransport.php#L74
The CORS override can happen at https://github.com/modelcontextprotocol/php-sdk/blob/main/src/Server/Transport/StreamableHttpTransport.php#L64, but I believe the SDK should follow the secure by default principle and allow the deployers to explicitly set insecure values if they need.
Recommendation
In the SDK, the transport layer should not own CORS policy. Server implementors who need cross-origin access can add a CORS filter at the servlet filter or Spring Security layer.
Describe the bug
Hardcoded Wildcard CORS (Access-Control-Allow-Origin: * ) is the default CORS headers to every response via withCorsHeaders().
Details
Here is the code -
https://github.com/modelcontextprotocol/php-sdk/blob/main/src/Server/Transport/StreamableHttpTransport.php#L74
The CORS override can happen at https://github.com/modelcontextprotocol/php-sdk/blob/main/src/Server/Transport/StreamableHttpTransport.php#L64, but I believe the SDK should follow the secure by default principle and allow the deployers to explicitly set insecure values if they need.
Recommendation
In the SDK, the transport layer should not own CORS policy. Server implementors who need cross-origin access can add a CORS filter at the servlet filter or Spring Security layer.