Skip to content

fix(api): allow PATCH in CORS so browsers can call the status endpoints#1436

Open
JosephDoUrden wants to merge 1 commit into
modelcontextprotocol:mainfrom
JosephDoUrden:fix/cors-allow-patch
Open

fix(api): allow PATCH in CORS so browsers can call the status endpoints#1436
JosephDoUrden wants to merge 1 commit into
modelcontextprotocol:mainfrom
JosephDoUrden:fix/cors-allow-patch

Conversation

@JosephDoUrden

Copy link
Copy Markdown
Contributor

The status endpoints (PATCH /v0/servers/{name}/status and the per-version one) are served with PATCH, but the CORS middleware's AllowedMethods lists GET/POST/PUT/DELETE/OPTIONS and never PATCH. So a cross-origin browser preflight for those endpoints comes back without the allow headers and the browser blocks the actual request. One-line fix: add PATCH to the allowed methods.

While here, the existing CORS test turned out to be a placeholder that never reaches the real wrapped handler (its own comments say so), which is why this went unnoticed. Added a small Handler() accessor and a proper preflight test that asserts each routed method including PATCH is allowed.

The status endpoints (PATCH /v0/servers/{name}/status and the per-version
variant) are served with PATCH, but the CORS middleware's AllowedMethods never
listed PATCH, so a cross-origin browser preflight for them returns without the
allow headers and the browser blocks the request. Added PATCH to the allowed
methods.

The existing CORS test is a black-box placeholder that can't reach the wrapped
handler (its own comments say as much), which is why this slipped through. Added
a small Handler() accessor and a real preflight test asserting every routed
method including PATCH is allowed.
@JosephDoUrden JosephDoUrden force-pushed the fix/cors-allow-patch branch from ac0e3c0 to 191aec6 Compare July 11, 2026 10:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant