feat: make CORS settings configurable for MCP server (#7827)

Add CORSConfig to the MCP extension configuration allowing operators
to control which origins and headers are permitted for cross-origin
requests to the MCP endpoint.

Changes:
- Add CORSConfig struct with allowed_origins and allowed_headers fields
- Support exact origin matches, wildcard (*), and subdomain patterns
  (e.g., http://*.example.com)
- Echo the matched origin in Access-Control-Allow-Origin instead of
  literal '*' (correct CORS behavior for credentialed requests)
- Always include MCP protocol headers (Mcp-Session-Id,
  Mcp-Protocol-Version, Last-Event-ID) regardless of config
- Default to AllowedOrigins: ["*"] for backward compatibility
- Add comprehensive table-driven tests for origin matching

Resolves #7827

Signed-off-by: Rajneesh180 <rajneeshrehsaan48@gmail.com>

Author: Rajneesh180

cmd/jaeger/internal/extension/jaegermcp/config.go

@@ -9,6 +9,20 @@ import (
 	"go.opentelemetry.io/collector/confmap/xconfmap"
 )
 
+// CORSConfig holds CORS configuration for the MCP server.
+type CORSConfig struct {
+	// AllowedOrigins is a list of origins that are allowed to make cross-origin requests.
+	// Use ["*"] to allow any origin. Supports exact matches and wildcard patterns
+	// (e.g., "http://*.example.com").
+	AllowedOrigins []string `mapstructure:"allowed_origins"`
+
+	// AllowedHeaders is a list of additional headers the client is allowed to use
+	// in cross-origin requests. MCP protocol headers (Mcp-Session-Id,
+	// Mcp-Protocol-Version, Last-Event-ID) are always permitted regardless of
+	// this setting.
+	AllowedHeaders []string `mapstructure:"allowed_headers"`
+}
+
 // Config represents the configuration for the Jaeger MCP server extension.
 type Config struct {
 	// HTTP contains the HTTP server configuration for the MCP protocol endpoint.
@@ -25,6 +39,10 @@ type Config struct {
 
 	// MaxSearchResults limits the number of trace search results.
 	MaxSearchResults int `mapstructure:"max_search_results" valid:"range(1|1000)"`
+
+	// CORS configures cross-origin resource sharing for the MCP HTTP endpoint.
+	// This is required for browser-based MCP clients like the MCP Inspector.
+	CORS CORSConfig `mapstructure:"cors"`
 }
 
 // Validate checks if the configuration is valid.

cmd/jaeger/internal/extension/jaegermcp/factory.go

@@ -48,6 +48,9 @@ func createDefaultConfig() component.Config {
 		ServerVersion:            ver,
 		MaxSpanDetailsPerRequest: 20,
 		MaxSearchResults:         100,
+		CORS: CORSConfig{
+			AllowedOrigins: []string{"*"},
+		},
 	}
 }
 

cmd/jaeger/internal/extension/jaegermcp/server.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/modelcontextprotocol/go-sdk/mcp"
@@ -102,7 +103,7 @@ func (s *server) Start(ctx context.Context, host component.Host) error {
 	})
 
 	s.httpServer = &http.Server{
-		Handler:           corsMiddleware(mux),
+		Handler:           corsMiddleware(mux, s.config.CORS),
 		ReadHeaderTimeout: 30 * time.Second,
 	}
 
@@ -212,13 +213,31 @@ func (s *server) healthTool(
 	}, nil
 }
 
-// corsMiddleware wraps an http.Handler to add CORS headers.
-// This is required for browser-based MCP clients like the MCP Inspector.
-func corsMiddleware(next http.Handler) http.Handler {
+// corsMiddleware wraps an http.Handler to add CORS headers based on the
+// provided CORSConfig. MCP protocol headers are always included regardless
+// of the configuration. This is required for browser-based MCP clients like
+// the MCP Inspector.
+func corsMiddleware(next http.Handler, cfg CORSConfig) http.Handler {
+	// MCP protocol headers that must always be allowed and exposed.
+	mcpHeaders := []string{"Mcp-Session-Id", "Mcp-Protocol-Version", "Last-Event-ID"}
+
+	// Build allowed headers: base set + MCP headers + user-configured headers.
+	allowedHeaders := []string{"Content-Type", "Accept"}
+	allowedHeaders = append(allowedHeaders, mcpHeaders...)
+	allowedHeaders = append(allowedHeaders, cfg.AllowedHeaders...)
+
+	allowHeadersStr := strings.Join(allowedHeaders, ", ")
+
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Access-Control-Allow-Origin", "*")
+		origin := r.Header.Get("Origin")
+		if origin != "" && isOriginAllowed(origin, cfg.AllowedOrigins) {
+			w.Header().Set("Access-Control-Allow-Origin", origin)
+		} else if containsWildcard(cfg.AllowedOrigins) {
+			w.Header().Set("Access-Control-Allow-Origin", "*")
+		}
+
 		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS")
-		w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Accept, Mcp-Session-Id, Mcp-Protocol-Version, Last-Event-ID")
+		w.Header().Set("Access-Control-Allow-Headers", allowHeadersStr)
 		w.Header().Set("Access-Control-Expose-Headers", "Mcp-Session-Id")
 
 		// Handle preflight requests
@@ -230,3 +249,38 @@ func corsMiddleware(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
+
+// containsWildcard checks if the origins list includes "*".
+func containsWildcard(origins []string) bool {
+	for _, o := range origins {
+		if o == "*" {
+			return true
+		}
+	}
+	return false
+}
+
+// isOriginAllowed checks whether the given origin matches any of the allowed
+// origin patterns. Patterns may use a leading wildcard to match subdomains
+// (e.g., "http://*.example.com" matches "http://app.example.com").
+func isOriginAllowed(origin string, allowedOrigins []string) bool {
+	for _, pattern := range allowedOrigins {
+		if pattern == "*" {
+			return true
+		}
+		if pattern == origin {
+			return true
+		}
+		// Support wildcard subdomain matching: "http://*.example.com"
+		if strings.Contains(pattern, "*") {
+			// Split pattern at the wildcard and check prefix/suffix
+			parts := strings.SplitN(pattern, "*", 2)
+			if len(parts) == 2 &&
+				strings.HasPrefix(origin, parts[0]) &&
+				strings.HasSuffix(origin, parts[1]) {
+				return true
+			}
+		}
+	}
+	return false
+}

cmd/jaeger/internal/extension/jaegermcp/server_test.go

@@ -706,6 +706,9 @@ func TestCORSPreflight(t *testing.T) {
 		},
 		ServerName:    "jaeger-test",
 		ServerVersion: "1.0.0",
+		CORS: CORSConfig{
+			AllowedOrigins: []string{"*"},
+		},
 	}
 
 	server := newServer(config, componenttest.NewNopTelemetrySettings())
@@ -727,6 +730,140 @@ func TestCORSPreflight(t *testing.T) {
 	defer resp.Body.Close()
 
 	assert.Equal(t, http.StatusNoContent, resp.StatusCode)
-	assert.Equal(t, "*", resp.Header.Get("Access-Control-Allow-Origin"))
+	assert.Equal(t, "http://localhost:3000", resp.Header.Get("Access-Control-Allow-Origin"))
 	assert.Equal(t, "GET, POST, DELETE, OPTIONS", resp.Header.Get("Access-Control-Allow-Methods"))
 }
+
+func TestCORSConfigurableOrigins(t *testing.T) {
+	tests := []struct {
+		name           string
+		allowedOrigins []string
+		requestOrigin  string
+		expectedOrigin string
+	}{
+		{
+			name:           "wildcard allows any origin",
+			allowedOrigins: []string{"*"},
+			requestOrigin:  "http://example.com",
+			expectedOrigin: "http://example.com",
+		},
+		{
+			name:           "exact match allowed",
+			allowedOrigins: []string{"http://localhost:3000"},
+			requestOrigin:  "http://localhost:3000",
+			expectedOrigin: "http://localhost:3000",
+		},
+		{
+			name:           "non-matching origin blocked",
+			allowedOrigins: []string{"http://localhost:3000"},
+			requestOrigin:  "http://evil.com",
+			expectedOrigin: "",
+		},
+		{
+			name:           "wildcard subdomain match",
+			allowedOrigins: []string{"http://*.example.com"},
+			requestOrigin:  "http://app.example.com",
+			expectedOrigin: "http://app.example.com",
+		},
+		{
+			name:           "wildcard subdomain no match",
+			allowedOrigins: []string{"http://*.example.com"},
+			requestOrigin:  "http://evil.com",
+			expectedOrigin: "",
+		},
+		{
+			name:           "multiple origins first match",
+			allowedOrigins: []string{"http://localhost:3000", "http://localhost:8080"},
+			requestOrigin:  "http://localhost:8080",
+			expectedOrigin: "http://localhost:8080",
+		},
+		{
+			name:           "empty origins blocks all",
+			allowedOrigins: []string{},
+			requestOrigin:  "http://localhost:3000",
+			expectedOrigin: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			config := &Config{
+				HTTP: confighttp.ServerConfig{
+					NetAddr: confignet.AddrConfig{
+						Endpoint:  "localhost:0",
+						Transport: confignet.TransportTypeTCP,
+					},
+				},
+				ServerName:    "jaeger-test",
+				ServerVersion: "1.0.0",
+				CORS: CORSConfig{
+					AllowedOrigins: tt.allowedOrigins,
+				},
+			}
+
+			srv := newServer(config, componenttest.NewNopTelemetrySettings())
+			host := newMockHost()
+			err := srv.Start(context.Background(), host)
+			require.NoError(t, err)
+			defer srv.Shutdown(context.Background())
+
+			addr := srv.listener.Addr().String()
+			url := fmt.Sprintf("http://%s/mcp", addr)
+
+			req, err := http.NewRequest(http.MethodOptions, url, http.NoBody)
+			require.NoError(t, err)
+			req.Header.Set("Origin", tt.requestOrigin)
+			req.Header.Set("Access-Control-Request-Method", "POST")
+
+			resp, err := http.DefaultClient.Do(req)
+			require.NoError(t, err)
+			defer resp.Body.Close()
+
+			assert.Equal(t, http.StatusNoContent, resp.StatusCode)
+			assert.Equal(t, tt.expectedOrigin, resp.Header.Get("Access-Control-Allow-Origin"))
+		})
+	}
+}
+
+func TestCORSCustomHeaders(t *testing.T) {
+	config := &Config{
+		HTTP: confighttp.ServerConfig{
+			NetAddr: confignet.AddrConfig{
+				Endpoint:  "localhost:0",
+				Transport: confignet.TransportTypeTCP,
+			},
+		},
+		ServerName:    "jaeger-test",
+		ServerVersion: "1.0.0",
+		CORS: CORSConfig{
+			AllowedOrigins: []string{"*"},
+			AllowedHeaders: []string{"X-Custom-Header"},
+		},
+	}
+
+	srv := newServer(config, componenttest.NewNopTelemetrySettings())
+	host := newMockHost()
+	err := srv.Start(context.Background(), host)
+	require.NoError(t, err)
+	defer srv.Shutdown(context.Background())
+
+	addr := srv.listener.Addr().String()
+	url := fmt.Sprintf("http://%s/mcp", addr)
+
+	req, err := http.NewRequest(http.MethodOptions, url, http.NoBody)
+	require.NoError(t, err)
+	req.Header.Set("Origin", "http://localhost:3000")
+	req.Header.Set("Access-Control-Request-Method", "POST")
+
+	resp, err := http.DefaultClient.Do(req)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	allowHeaders := resp.Header.Get("Access-Control-Allow-Headers")
+	// MCP protocol headers must always be present
+	assert.Contains(t, allowHeaders, "Mcp-Session-Id")
+	assert.Contains(t, allowHeaders, "Mcp-Protocol-Version")
+	assert.Contains(t, allowHeaders, "Last-Event-ID")
+	// Custom header should be included
+	assert.Contains(t, allowHeaders, "X-Custom-Header")
+}