Skip to content

feat(client): add credentials: 'include' toggle for cookie-auth servers#1580

Open
SarthakB11 wants to merge 1 commit into
modelcontextprotocol:mainfrom
SarthakB11:feat/credentials-include-1454
Open

feat(client): add credentials: 'include' toggle for cookie-auth servers#1580
SarthakB11 wants to merge 1 commit into
modelcontextprotocol:mainfrom
SarthakB11:feat/credentials-include-1454

Conversation

@SarthakB11

Copy link
Copy Markdown

Title: feat(web): add "Send cookies" toggle for direct Streamable HTTP connections (closes #1454)

Closes #1454.

Summary

Adds a "Send cookies (credentials: include)" checkbox to the connection settings
panel. When enabled, the direct transport passes credentials: 'include' on its
fetch calls so the browser attaches cookies stored for the target origin. Feature is default-off and follows the same UI+localStorage pattern used in the recently-merged connection-settings additions (#1553, #1551).

The browser treats Cookie as a forbidden header, so JavaScript cannot set it
manually. credentials: 'include' is the only standards-compliant way to send
cookies on a cross-origin request. Without it, MCP servers that rely on
cookie-based auth or session routing are unreachable from the inspector UI
unless the built bundle is patched by hand.

Changes

  • New checkbox in the Sidebar connection settings, shown only when Connection
    Type is Direct (the option does not apply to the proxy transport, which
    forwards cookies server-side).
  • credentialsInclude plumbed through App into useConnection; both direct
    fetch call sites (SSE and Streamable HTTP) add credentials: 'include' only
    when the toggle is on.
  • State persists across sessions in localStorage under lastCredentialsInclude,
    matching the existing lastConnectionType persistence.
  • Tooltip notes the server-side requirements: Access-Control-Allow-Credentials: true, a non-wildcard Access-Control-Allow-Origin, and SameSite=None; Secure for cross-site cookies.

Behavior

  • Default: off. Fetch behavior is unchanged from today.
  • On: credentials: 'include' is added to the direct-connection fetch
    options.

Acceptance criteria

  • Toggle present in the connection settings UI for the Streamable HTTP
    transport.
  • Off leaves fetch behavior unchanged.
  • On passes credentials: 'include' to both direct-connection fetch sites.
  • Toggle state persists via localStorage.
  • Tooltip explains the required CORS response headers.

Test plan

  • npm test (client) passes; added two useConnection tests covering the enabled and unset cases for the direct transport
  • tsc --noEmit, eslint, and prettier --check clean on the changed files
  • Manual smoke: point inspector at a cookie-authenticated MCP server with the toggle on, confirm Cookie header sent and session established (screenshot / GIF happy to add on request)

Cookie is a forbidden request header, so JS cannot set it manually. The
only standards path to send cookies cross-origin is credentials: 'include'
on the fetch call. The inspector never set it, so cookie-auth MCP servers
were unreachable from the UI without patching the built bundle.

Add a client-side toggle in connection settings, persisted to
localStorage, applied at both SSE and streamable-http fetch call sites.
Off by default. Tooltip notes the server-side CORS requirements
(Access-Control-Allow-Credentials + non-wildcard origin).

Closes modelcontextprotocol#1454

Signed-off-by: SarthakB11 <sarthak.bhardwaj21b@iiitg.ac.in>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[enhancement] Add credentials: 'include' toggle to connection settings

1 participant