Skip to content

Add context-aware CORS policy to enhance security#1609

Merged
g2vinay merged 6 commits intomicrosoft:mainfrom
g2vinay:update-cors-policy
Feb 6, 2026
Merged

Add context-aware CORS policy to enhance security#1609
g2vinay merged 6 commits intomicrosoft:mainfrom
g2vinay:update-cors-policy

Conversation

@g2vinay
Copy link
Copy Markdown
Contributor

@g2vinay g2vinay commented Jan 29, 2026

Add context-aware CORS policy for HTTP transport mode

  • Development mode (unauthenticated): Restricts to localhost origins only to prevent CSRF attacks

    • Allows localhost/127.0.0.1/[::1] with any port (supports MCP Inspector, custom ports)
    • Protects against cross-site request forgery when --dangerously-disable-http-incoming-auth is used
    • Prevents malicious websites from accessing developer's Azure credentials via localhost endpoints

  • Production mode (authenticated): Allows all origins safely

    • JWT Bearer authentication validates all requests regardless of origin
    • Required for MCP clients (GitHub Copilot in VS Code/Codespaces) from various origins
    • CORS is a browser mechanism; authenticated API doesn't need origin restrictions

Replaces permissive 'AllowAll' policy with context-aware 'McpCorsPolicy'
Implements ConfigureCors() method shared by both authenticated and unauthenticated HTTP hosts

@anuchandy anuchandy mentioned this pull request Feb 2, 2026
Closed
@g2vinay g2vinay marked this pull request as ready for review February 3, 2026 00:26
@g2vinay g2vinay requested review from a team as code owners February 3, 2026 00:26
Copilot AI reviewed Feb 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a context-aware CORS policy to enhance security for the HTTP transport mode. The policy behaves differently based on the authentication mode: in development mode (unauthenticated), it restricts requests to localhost origins only to prevent CSRF attacks, while in production mode (authenticated), it allows all origins since JWT Bearer authentication validates all requests.

Changes:

  • Introduced a new ConfigureCors() method that configures CORS policy based on the DangerouslyDisableHttpIncomingAuth flag
  • Replaced the permissive "AllowAll" CORS policy with a context-aware "McpCorsPolicy"
  • Updated both CreateHttpHost and CreateIncomingAuthDisabledHttpHost methods to use the new shared CORS configuration

Comment thread core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs Outdated
Comment thread core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs Outdated
Comment thread core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs Outdated
Comment thread core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs Outdated
anuchandy
anuchandy approved these changes Feb 5, 2026
View reviewed changes
Comment thread core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs
anuchandy
anuchandy approved these changes Feb 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@anuchandy anuchandy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks Vinay, lgtm

Comment thread core/Azure.Mcp.Core/tests/Azure.Mcp.Core.UnitTests/Areas/Server/ServiceStartCommandTests.cs
@g2vinay g2vinay merged commit 2401099 into microsoft:main Feb 6, 2026
14 checks passed
@github-project-automation github-project-automation Bot moved this from Untriaged to Done in Azure MCP Server Feb 6, 2026
colbytimm pushed a commit to colbytimm/microsoft-mcp that referenced this pull request Apr 20, 2026
@g2vinay @colbytimm
Add context-aware CORS policy to enhance security (microsoft#1609)
5ddf330
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@anuchandy anuchandy anuchandy approved these changes

@hallipr hallipr Awaiting requested review from hallipr hallipr is a code owner automatically assigned from microsoft/azure-mcp

@vukelich vukelich Awaiting requested review from vukelich vukelich is a code owner automatically assigned from microsoft/azure-mcp

@wbreza wbreza Awaiting requested review from wbreza wbreza is a code owner automatically assigned from microsoft/azure-mcp

@conniey conniey Awaiting requested review from conniey conniey is a code owner automatically assigned from microsoft/azure-mcp

@JonathanCrd JonathanCrd Awaiting requested review from JonathanCrd JonathanCrd is a code owner automatically assigned from microsoft/azure-mcp

@fanyang-mono fanyang-mono Awaiting requested review from fanyang-mono fanyang-mono is a code owner automatically assigned from microsoft/azure-mcp

@jairmyree jairmyree Awaiting requested review from jairmyree jairmyree is a code owner automatically assigned from microsoft/azure-mcp

Assignees

No one assigned

Labels

None yet

Projects

Azure MCP Server
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@g2vinay @anuchandy