feat(client): add credentials: 'include' toggle for cookie-auth servers#1580
Open
SarthakB11 wants to merge 1 commit into
Open
feat(client): add credentials: 'include' toggle for cookie-auth servers#1580SarthakB11 wants to merge 1 commit into
SarthakB11 wants to merge 1 commit into
Conversation
Cookie is a forbidden request header, so JS cannot set it manually. The only standards path to send cookies cross-origin is credentials: 'include' on the fetch call. The inspector never set it, so cookie-auth MCP servers were unreachable from the UI without patching the built bundle. Add a client-side toggle in connection settings, persisted to localStorage, applied at both SSE and streamable-http fetch call sites. Off by default. Tooltip notes the server-side CORS requirements (Access-Control-Allow-Credentials + non-wildcard origin). Closes modelcontextprotocol#1454 Signed-off-by: SarthakB11 <sarthak.bhardwaj21b@iiitg.ac.in>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Title:
feat(web): add "Send cookies" toggle for direct Streamable HTTP connections (closes #1454)Closes #1454.
Summary
Adds a "Send cookies (credentials: include)" checkbox to the connection settings
panel. When enabled, the direct transport passes
credentials: 'include'on itsfetch calls so the browser attaches cookies stored for the target origin. Feature is default-off and follows the same UI+localStorage pattern used in the recently-merged connection-settings additions (#1553, #1551).
The browser treats
Cookieas a forbidden header, so JavaScript cannot set itmanually.
credentials: 'include'is the only standards-compliant way to sendcookies on a cross-origin request. Without it, MCP servers that rely on
cookie-based auth or session routing are unreachable from the inspector UI
unless the built bundle is patched by hand.
Changes
Type is Direct (the option does not apply to the proxy transport, which
forwards cookies server-side).
credentialsIncludeplumbed throughAppintouseConnection; both directfetch call sites (SSE and Streamable HTTP) add
credentials: 'include'onlywhen the toggle is on.
localStorageunderlastCredentialsInclude,matching the existing
lastConnectionTypepersistence.Access-Control-Allow-Credentials: true, a non-wildcardAccess-Control-Allow-Origin, andSameSite=None; Securefor cross-site cookies.Behavior
credentials: 'include'is added to the direct-connection fetchoptions.
Acceptance criteria
transport.
credentials: 'include'to both direct-connection fetch sites.localStorage.Test plan
npm test(client) passes; added twouseConnectiontests covering the enabled and unset cases for the direct transporttsc --noEmit, eslint, andprettier --checkclean on the changed filesCookieheader sent and session established (screenshot / GIF happy to add on request)