feat: make CORS settings configurable for MCP server

[Rajneesh180]

Which problem is this PR solving?

Part of #7827

The MCP server extension hardcodes Access-Control-Allow-Origin: * and manages HTTP lifecycle (listener, server) manually. This PR switches to confighttp.ServerConfig for CORS and HTTP setup, aligning with how other collector extensions handle this.

Description of the changes

• CORS via confighttp: Uses confighttp.ServerConfig.CORS (backed by rs/cors) instead of a hand-rolled CORS middleware. Default config sets AllowedOrigins: ["*"] for backward compatibility.
• HTTP lifecycle via confighttp: Replaced manual net.ListenConfig + http.Server{} with confighttp.ToListener() + confighttp.ToServer(), which provides TLS support, OTel instrumentation, decompression, and auth middleware for free.
• Thin mcpExposeHeadersMiddleware: Only sets Access-Control-Expose-Headers: Mcp-Session-Id, since confighttp.CORSConfig doesn't expose that rs/cors option.
• Resource cleanup: Closes listener if ToServer() fails, preventing socket leak.

Example CORS configuration

jaeger_mcp:
  http:
    cors:
      allowed_origins:
        - "http://localhost:3000"
        - "http://*.internal.example.com"
      allowed_headers:
        - "X-Custom-Auth"

How was this change tested?

• TestCORSPreflight — verifies preflight 204 + Access-Control-Allow-Origin via confighttp CORS
• TestCORSConfigurableOrigins — 6 subtests: wildcard, exact match, blocked, subdomain match/no-match, multiple origins
• TestCORSCustomHeaders — verifies MCP protocol headers + custom headers in Access-Control-Allow-Headers

Full MCP test suite passes: go test ./cmd/jaeger/internal/extension/jaegermcp/... — all 4 packages PASS.

[Copilot]

Pull request overview

Adds configurable CORS behavior to the Jaeger MCP server extension so deployments can restrict allowed origins and permit additional request headers, rather than always responding with Access-Control-Allow-Origin: *.

Changes:

• Introduces CORSConfig (allowed origins + additional allowed headers) and wires it into the MCP server config.
• Updates corsMiddleware to match/echo allowed origins and to always include required MCP protocol headers in Access-Control-Allow-Headers.
• Expands/updates CORS-related tests with table-driven coverage for origin matching and custom headers.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
cmd/jaeger/internal/extension/jaegermcp/config.go	Adds CORSConfig and exposes it on the extension Config via mapstructure:"cors".
cmd/jaeger/internal/extension/jaegermcp/factory.go	Sets backward-compatible default CORS config (AllowedOrigins: ["*"]).
cmd/jaeger/internal/extension/jaegermcp/server.go	Makes CORS behavior configurable; implements origin matching + configurable allowed headers.
cmd/jaeger/internal/extension/jaegermcp/server_test.go	Updates preflight test expectations and adds new tests for configurable origins and custom headers.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The AllowedOrigins comment says it “supports ... wildcard patterns”, but the implementation in isOriginAllowed has specific (and somewhat permissive) wildcard semantics. To reduce misconfiguration risk, consider documenting the exact supported pattern(s) (e.g., only * and scheme://*.example.com with a single wildcard) and/or validating unsupported patterns early in Validate().

Suggested change

	// Use ["*"] to allow any origin. Supports exact matches and wildcard patterns
	// (e.g., "http://*.example.com").
	// Use ["*"] to allow any origin. Literal origins (e.g., "https://example.com") are
	// always matched exactly. Wildcard handling, if used, follows the MCP server's
	// origin-matching implementation and should be configured with care.

[Copilot]

When Access-Control-Allow-Origin is set dynamically based on the request Origin, the response should also include Vary: Origin to prevent shared caches/CDNs from serving a response with the wrong CORS headers to a different origin (cache poisoning / data exposure risk). Consider adding Vary: Origin (and for preflights optionally Vary: Access-Control-Request-Method / Vary: Access-Control-Request-Headers).

[Copilot]

isOriginAllowed currently treats any * in the configured pattern as a wildcard and matches by simple prefix/suffix. This is more permissive than the doc comment implies (“leading wildcard to match subdomains”) and can easily lead to accidentally broad matches (e.g., patterns with * in unexpected positions). Suggest either (a) enforcing/validating the supported form (single wildcard only in the subdomain position like scheme://*.example.com) or (b) updating the documentation to match the actual matching semantics.

[Copilot]

The PR description mentions “correct CORS behavior for credentialed requests”, but this middleware never sets Access-Control-Allow-Credentials: true. Echoing the origin is necessary but not sufficient for credentialed browser requests; if credentials are in scope, this likely needs a configurable allow_credentials flag and to avoid returning * when credentials are enabled. Otherwise, consider adjusting wording/comments to avoid implying credential support.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

When an Origin header is present but not allowed, the handler still processes the request (and preflights still return 204) — it just omits Access-Control-Allow-Origin. If the intent is to "restrict which origins can access the MCP endpoint", this doesn’t actually prevent cross-site requests (it only prevents browsers from reading responses) and can still allow CSRF-style side effects or resource usage. Consider explicitly rejecting requests with a disallowed Origin (e.g., return 403 for OPTIONS and non-OPTIONS when Origin is present and not allowed), or clarify in docs/tests that this is only a browser read restriction, not access control.

[Copilot]

The middleware now conditionally adds Vary: Origin when reflecting an allowed Origin, but the new CORS tests only assert Access-Control-Allow-Origin. To prevent regressions in caching behavior, consider extending the relevant subtests to assert Vary is set to Origin when expectedOrigin is a reflected origin (and absent when expectedOrigin is "*" or empty).

Suggested change

	assert.Equal(t, tt.expectedOrigin, resp.Header.Get("Access-Control-Allow-Origin"))
	assert.Equal(t, tt.expectedOrigin, resp.Header.Get("Access-Control-Allow-Origin"))
	// When the origin is reflected, the middleware should set Vary: Origin
	// to ensure correct caching behavior. For wildcard ("*") or empty
	// expected origins, Vary should be absent.
	if tt.expectedOrigin != "" && tt.expectedOrigin == tt.requestOrigin {
	assert.Equal(t, "Origin", resp.Header.Get("Vary"))
	} else {
	assert.Equal(t, "", resp.Header.Get("Vary"))
	}

[yurishkuro]

Doesn't confighttp.ServerConfig have CORS config?

[Rajneesh180]

Great catch — you're right, confighttp.ServerConfig already has CORS support via its CORS configoptional.Optional[CORSConfig] field. I've refactored to use it.

What changed:

• Removed the custom CORSConfig struct entirely — CORS origins/headers are now configured through HTTP.CORS using configoptional.Some(confighttp.CORSConfig{...})
• Replaced the manual net.Listen + http.Server setup with confighttp's ToListener() + ToServer(), which gives us TLS support, OTel instrumentation, decompression, and auth middleware for free
• Deleted ~60 lines of custom corsMiddleware/containsWildcard/isOriginAllowed — all of that is now handled by rs/cors via confighttp
• Kept a thin mcpExposeHeadersMiddleware (~7 lines) only for Access-Control-Expose-Headers: Mcp-Session-Id, since confighttp.CORSConfig doesn't expose that rs/cors option

This also addresses all of Copilot's review points (missing Vary: Origin, Allow-Credentials, permissive wildcard matching) since rs/cors handles all of those correctly.

Net result: -75 lines, and we're aligned with how other collector extensions (like jaegerquery) handle CORS.

[yurishkuro]

why should this be in the default config? A default config can be overwritten by the users, then all these headers will become invalid

[Rajneesh180]

Addressed the review feedback:

• Removed AllowedHeaders from default CORS config — When AllowedHeaders is empty/unset, rs/cors automatically mirrors all Access-Control-Request-Headers from the preflight request. This means MCP headers (Mcp-Session-Id, Mcp-Protocol-Version, Last-Event-ID) work out of the box without being hardcoded in defaults, and users who override CORS config won't lose them.
• Users can still explicitly restrict headers via allowed_headers in their config if needed.
• Access-Control-Expose-Headers: Mcp-Session-Id is still handled by the dedicated middleware (mcpExposeHeadersMiddleware), independent of CORS config.
• Fixed DCO sign-off on all commits.

@yurishkuro ready for re-review when you have a chance.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

TestCORSPreflight no longer asserts Access-Control-Allow-Methods (and it also doesn't validate allowed request headers). Since this test is the basic regression check for the CORS behavior, it should continue to verify the expected preflight response headers produced by the server.

[Copilot]

The PR description mentions an "empty origins blocks all" scenario, but TestCORSConfigurableOrigins does not include a case where AllowedOrigins is empty/nil. Adding that case would help prevent regressions around the "block all" configuration behavior.

Suggested change

	},
	},
	{
	name: "nil origins blocks all",
	allowedOrigins: nil,
	requestOrigin: "http://example.com",
	expectedOrigin: "",
	},
	{
	name: "empty origins blocks all",
	allowedOrigins: []string{},
	requestOrigin: "http://example.com",
	expectedOrigin: "",
	},

[Copilot]

This test config explicitly includes the MCP protocol headers in AllowedHeaders. If the intended behavior is that MCP protocol headers are always permitted regardless of configuration, the test should avoid listing those headers and instead assert they are still allowed when only a custom header is configured (or update the implementation/description to match the actual behavior).

[Copilot]

The PR description references adding a new jaeger_mcp-specific CORSConfig struct, but the code change instead relies on confighttp.ServerConfig.CORS for CORS settings. Either update the PR description to reflect the actual implementation approach, or introduce the described struct if that was the intent.

[Copilot]

If s.config.HTTP.ToServer(...) returns an error, Start returns without closing the listener created earlier via ToListener, which can leak the bound socket/file descriptor. Consider closing s.listener (or the local listener) before returning on this error path.

Suggested change

	if err != nil {
	if err != nil {
	if s.listener != nil {
	_ = s.listener.Close()
	s.listener = nil
	}

[Copilot]

The default MCP CORS configuration only sets AllowedOrigins, but it no longer whitelists the MCP protocol request headers (e.g., Mcp-Session-Id / Mcp-Protocol-Version / Last-Event-ID) that were previously always allowed by the custom corsMiddleware. With confighttp/rs-cors defaults, preflight requests that include these headers can be rejected unless they are added to AllowedHeaders. To preserve backward compatibility, consider adding the MCP protocol headers to the default AllowedHeaders (and optionally merging any user-configured AllowedHeaders with these defaults).

Suggested change

	AllowedOrigins: []string{"*"},
	AllowedOrigins: []string{"*"},
	AllowedHeaders: []string{"Mcp-Session-Id", "Mcp-Protocol-Version", "Last-Event-ID"},

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Rajneesh180]

Pushed a fix addressing the remaining review feedback.

Key change: mcpExposeHeadersMiddleware was using Header.Set which clobbers any Access-Control-Expose-Headers already set by confighttp's CORS handling — switched to Header.Add.

Also found a real issue with the default config: with empty AllowedHeaders, rs/cors does NOT auto-mirror request headers — it defaults to {accept, content-type, x-requested-with}. MCP protocol headers would silently fail in CORS preflight. The auto-mirror behavior only activates with AllowedHeaders: ["*"], so I added that to the default config. This addresses @yurishkuro's earlier concern about specific headers becoming invalid when users override defaults — wildcard can't be "lost" like a hardcoded list can.

Test improvements:

• TestCORSPreflight now asserts Access-Control-Allow-Methods
• Added nil/empty origins test cases to TestCORSConfigurableOrigins
• TestCORSCustomHeaders tests the auto-mirror behavior instead of listing MCP headers explicitly

All tests pass locally. Ready for re-review.