Skip to content

Commit 4ed39d7

Browse files
committed
State precisely what a subscription filter can and cannot leak
1 parent 40cbe03 commit 4ed39d7

1 file changed

Lines changed: 5 additions & 4 deletions

File tree

docs/handlers/subscriptions.md

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -45,10 +45,11 @@ Two things the stream is *not*:
4545

4646
!!! warning
4747
Don't publish sensitive per-user URIs through `notify_resource_updated` on a multi-tenant
48-
server. Any client may name any URI in its filter, including one it cannot read, and
49-
`MCPServer` honors it. Those notifications reveal that a resource changed and when, never
50-
its content. To narrow that, serve the method with your own handler on the low-level
51-
`Server` and acknowledge a smaller filter than the client asked for.
48+
server. Any client may name any URI in its filter, and `MCPServer` honors it. The exposure
49+
is narrow but real: a subscriber learns that a URI it can guess changed, and when. It never
50+
learns content, and it cannot probe what exists, because an unknown URI is honored too and
51+
simply never fires. To narrow the filter per client today, serve the method with your own
52+
handler on the low-level `Server` and acknowledge a smaller filter than the client asked for.
5253

5354
!!! warning "Streamable HTTP only, for now"
5455
`subscriptions/listen` needs a transport that can stream a request's response, which today

0 commit comments

Comments
 (0)