remove CrossOriginProtection from ServerConfig

Author: RossTarrant

pkg/http/handler.go

@@ -223,11 +223,16 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Bypass cross-origin protection: this server uses bearer tokens (not
+	// cookies), so Sec-Fetch-Site CSRF checks are unnecessary. See PR #XXXX.
+	crossOriginProtection := http.NewCrossOriginProtection()
+	crossOriginProtection.AddInsecureBypassPattern("/")
+
 	mcpHandler := mcp.NewStreamableHTTPHandler(func(_ *http.Request) *mcp.Server {
 		return ghServer
 	}, &mcp.StreamableHTTPOptions{
 		Stateless:             true,
-		CrossOriginProtection: h.config.CrossOriginProtection,
+		CrossOriginProtection: crossOriginProtection,
 	})
 
 	mcpHandler.ServeHTTP(w, r)

pkg/http/handler_test.go

@@ -665,97 +665,53 @@ func buildStaticInventoryFromTools(cfg *ServerConfig, tools []inventory.ServerTo
 func TestCrossOriginProtection(t *testing.T) {
 	jsonRPCBody := `{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"test","version":"0.1"}}}`
 
-	newHandler := func(t *testing.T, crossOriginProtection *http.CrossOriginProtection) http.Handler {
-		t.Helper()
-
-		apiHost, err := utils.NewAPIHost("https://api.githubcopilot.com")
-		require.NoError(t, err)
-
-		handler := NewHTTPMcpHandler(
-			context.Background(),
-			&ServerConfig{
-				Version:               "test",
-				CrossOriginProtection: crossOriginProtection,
-			},
-			nil,
-			translations.NullTranslationHelper,
-			slog.Default(),
-			apiHost,
-			WithInventoryFactory(func(_ *http.Request) (*inventory.Inventory, error) {
-				return inventory.NewBuilder().Build()
-			}),
-			WithGitHubMCPServerFactory(func(_ *http.Request, _ github.ToolDependencies, _ *inventory.Inventory, _ *github.MCPServerConfig) (*mcp.Server, error) {
-				return mcp.NewServer(&mcp.Implementation{Name: "test", Version: "0.0.1"}, nil), nil
-			}),
-			WithScopeFetcher(allScopesFetcher{}),
-		)
-
-		r := chi.NewRouter()
-		handler.RegisterMiddleware(r)
-		handler.RegisterRoutes(r)
-		return r
-	}
+	apiHost, err := utils.NewAPIHost("https://api.githubcopilot.com")
+	require.NoError(t, err)
+
+	handler := NewHTTPMcpHandler(
+		context.Background(),
+		&ServerConfig{
+			Version: "test",
+		},
+		nil,
+		translations.NullTranslationHelper,
+		slog.Default(),
+		apiHost,
+		WithInventoryFactory(func(_ *http.Request) (*inventory.Inventory, error) {
+			return inventory.NewBuilder().Build()
+		}),
+		WithGitHubMCPServerFactory(func(_ *http.Request, _ github.ToolDependencies, _ *inventory.Inventory, _ *github.MCPServerConfig) (*mcp.Server, error) {
+			return mcp.NewServer(&mcp.Implementation{Name: "test", Version: "0.0.1"}, nil), nil
+		}),
+		WithScopeFetcher(allScopesFetcher{}),
+	)
+
+	r := chi.NewRouter()
+	handler.RegisterMiddleware(r)
+	handler.RegisterRoutes(r)
 
 	tests := []struct {
-		name                  string
-		crossOriginProtection *http.CrossOriginProtection
-		secFetchSite          string
-		origin                string
-		expectedStatusCode    int
+		name         string
+		secFetchSite string
+		origin       string
 	}{
 		{
-			name:               "SDK default rejects cross-site when no bypass configured",
-			secFetchSite:       "cross-site",
-			origin:             "https://evil.example.com",
-			expectedStatusCode: http.StatusForbidden,
-		},
-		{
-			name:               "SDK default allows same-origin request",
-			secFetchSite:       "same-origin",
-			expectedStatusCode: http.StatusOK,
+			name:         "cross-site request with bearer token succeeds",
+			secFetchSite: "cross-site",
+			origin:       "https://example.com",
 		},
 		{
-			name:               "SDK default allows request without Sec-Fetch-Site (native client)",
-			secFetchSite:       "",
-			expectedStatusCode: http.StatusOK,
+			name:         "same-origin request succeeds",
+			secFetchSite: "same-origin",
 		},
 		{
-			name: "bypass protection allows cross-site request",
-			crossOriginProtection: func() *http.CrossOriginProtection {
-				p := http.NewCrossOriginProtection()
-				p.AddInsecureBypassPattern("/")
-				return p
-			}(),
-			secFetchSite:       "cross-site",
-			origin:             "https://example.com",
-			expectedStatusCode: http.StatusOK,
-		},
-		{
-			name: "bypass protection still allows same-origin request",
-			crossOriginProtection: func() *http.CrossOriginProtection {
-				p := http.NewCrossOriginProtection()
-				p.AddInsecureBypassPattern("/")
-				return p
-			}(),
-			secFetchSite:       "same-origin",
-			expectedStatusCode: http.StatusOK,
-		},
-		{
-			name: "bypass protection allows request without Sec-Fetch-Site (native client)",
-			crossOriginProtection: func() *http.CrossOriginProtection {
-				p := http.NewCrossOriginProtection()
-				p.AddInsecureBypassPattern("/")
-				return p
-			}(),
-			secFetchSite:       "",
-			expectedStatusCode: http.StatusOK,
+			name:         "native client without Sec-Fetch-Site succeeds",
+			secFetchSite: "",
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			h := newHandler(t, tt.crossOriginProtection)
-
 			req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(jsonRPCBody))
 			req.Header.Set("Content-Type", "application/json")
 			req.Header.Set("Accept", "application/json, text/event-stream")
@@ -768,9 +724,9 @@ func TestCrossOriginProtection(t *testing.T) {
 			}
 
 			rr := httptest.NewRecorder()
-			h.ServeHTTP(rr, req)
+			r.ServeHTTP(rr, req)
 
-			assert.Equal(t, tt.expectedStatusCode, rr.Code, "unexpected status code; body: %s", rr.Body.String())
+			assert.Equal(t, http.StatusOK, rr.Code, "unexpected status code; body: %s", rr.Body.String())
 		})
 	}
 }

pkg/http/server.go

@@ -87,11 +87,6 @@ type ServerConfig struct {
 
 	// InsidersMode indicates if we should enable experimental features.
 	InsidersMode bool
-
-	// CrossOriginProtection configures the SDK's cross-origin request protection.
-	// If nil and using RunHTTPServer, cross-origin requests are allowed (auto-bypass).
-	// If nil and using the handler as a library, the SDK default (reject) applies.
-	CrossOriginProtection *http.CrossOriginProtection
 }
 
 func RunHTTPServer(cfg ServerConfig) error {
@@ -165,14 +160,6 @@ func RunHTTPServer(cfg ServerConfig) error {
 		serverOptions = append(serverOptions, WithScopeFetcher(scopeFetcher))
 	}
 
-	// Bypass cross-origin protection: this server uses bearer tokens, not
-	// cookies, so CSRF checks are unnecessary.
-	if cfg.CrossOriginProtection == nil {
-		p := http.NewCrossOriginProtection()
-		p.AddInsecureBypassPattern("/")
-		cfg.CrossOriginProtection = p
-	}
-
 	r := chi.NewRouter()
 	handler := NewHTTPMcpHandler(ctx, &cfg, deps, t, logger, apiHost, append(serverOptions, WithFeatureChecker(featureChecker), WithOAuthConfig(oauthCfg))...)
 	oauthHandler, err := oauth.NewAuthHandler(oauthCfg, apiHost)