Skip to content

Modify Origin header validation in validateRequestHeaders (streamableHttp.ts and sse.ts) to allow requests without an Origin, as they are not relevant to server DNS rebinding protection. #1205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 2, 2025
Merged

Modify Origin header validation in validateRequestHeaders (streamableHttp.ts and sse.ts) to allow requests without an Origin, as they are not relevant to server DNS rebinding protection. #1205

merged 1 commit into from
Dec 2, 2025
+46 −2

Conversation

@jacopoc
Copy link
Contributor

@jacopoc jacopoc commented Dec 1, 2025

Motivation and Context

In the context of DNS rebinding protection, the condition to validate the Origin header has been modified in validateRequestHeaders (in both streamableHttp.ts and sse.ts) in order to prevent the rejection of requests that do not include an Origin header, such as those not originating from browsers, since they are not related to DNS rebinding attacks against the server.

Moreover, before this change, the Origin validation condition in validateRequestHeaders, i.e.

if (!originHeader || !this._allowedOrigins.includes(originHeader)) {
    return `Invalid Origin header: ${originHeader}`;
}

was not compliant with the latest version (2025-11-25) of the MCP specification (Transports - 2.0.1 Security Warning) that states:

If the Origin header is present and invalid, servers MUST respond with HTTP 403 Forbidden.

Instead, the updated Origin validation condition

if (originHeader && !this._allowedOrigins.includes(originHeader)) {
    return `Invalid Origin header: ${originHeader}`;
}

closely implements the specification.

How Has This Been Tested?

Along with the modified condition, this pull request introduces two new tests to verify the acceptance of requests without an Origin header when DNS Rebinding protection is enabled.

Breaking Changes

No breaking changes have been introduced.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

@jacopoc
Modify Origin header validation in validateRequestHeaders (streamable…
2b77c85 
…Http.ts and sse.ts) to allow requests without an Origin, as they are not relevant to server DNS rebinding protection.
@jacopoc jacopoc requested a review from a team as a code owner December 1, 2025 18:14
@pkg-pr-new
Copy link

pkg-pr-new bot commented Dec 1, 2025

Open in StackBlitz

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/sdk@1205

commit: 2b77c85

@pcarleton pcarleton merged commit 6083600 into modelcontextprotocol:main Dec 2, 2025
6 checks passed
@jacopoc jacopoc deleted the improve-header-validation-for-dns-rebinding-protection branch December 2, 2025 10:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pcarleton pcarleton pcarleton approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jacopoc @pcarleton