CORS errors when using the "Quick OAuth Flow" auth troubleshooter

[anthony-c-martin]

Inspector Version

0.16.7

Describe the bug

I'm trying to troubleshoot a new remote MCP server, and see this error message:

When I look at the browser logs, I see the following, indicating the web requests aren't actually failing - it's just being blocked by my browser's CORS policy:

Access to fetch at 'https://<redacted>/.well-known/oauth-protected-resource' from origin 'http://localhost:6274' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

To Reproduce
Steps to reproduce the behavior:

1. Add remote server, click 'Connect'
2. Click on 'Auth'
3. Scroll down to 'Quick OAuth Flow'
4. See error

Expected behavior

1. The app is able to make requests regardless of CORS policy, or instructions are provided on how to run it in a way to bypass.
2. The error message is more descriptive of the problem, rather than indicating a generic problem has occurred.

Screenshots
See above

Environment (please complete the following information):

• OS: macOS (Tahoe 26.0)
• Browser: Edge

Additional context
N/A

[Xueyao-Huang]

same in 0.16.8

[cliffhall]

The app is able to make requests regardless of CORS policy, or instructions are provided on how to run it in a way to bypass.

@anthony-c-martin when you say "the app" do you mean a browser-based app or an app running as a service? The latter will not have any CORS-related issues, because that is a browser concern.

Any browser-based app will have a CORS issue connecting to any server that does not allow its origin to connect. It's not up to the Inspector or any browser-based app to set the CORS policy, that's the server's prerogative.

Have a look at the Everything reference server implementation and how it opens the CORS origin and headers it allows the browser to read.