examples: restrict demo CORS origins to localhost

[TheodorNEngoy]

Several browser-facing examples configured CORS as origin: '*' (and in one case also credentials: true). While convenient, this is a common copy/paste footgun if the example server is ever exposed beyond localhost.

This PR keeps the intended “works out of the box for local dev / Inspector direct connect” behavior by restricting demo CORS origins to localhost/127.0.0.1/[::1] (any port).

Updated examples:

• URL elicitation Express demo (previously origin: '*' + credentials: true)
• simpleStreamableHttp demo
• auth server demo
• Hono WebStandard streamable HTTP demo
• SSE polling demo (previously cors() defaults)

Developers who intentionally expose these demos remotely can widen the allowlist as needed.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 25ff1b6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1499

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1499

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1499

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1499

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1499

commit: 25ff1b6

[TheodorNEngoy]

CI note: failed due to pkg.pr.new returning HTTP 500 (Cloudflare worker exception) in the publish step, not due to the code changes. + tests + conformance are green.

[TheodorNEngoy]

Correction: the failing check is "pkg-publish"; "build" + tests + conformance are green (pkg.pr.new returned HTTP 500 during publish).

[TheodorNEngoy]

FYI: the pkg-publish check looks flaky/transient. It passed on an earlier run for this PR (~02:27 UTC) and then failed with an HTTP 500 / Cloudflare worker error on the latest run. A maintainer rerun should likely go green.

[TheodorNEngoy]

Closing to reduce review/conflict noise: the CORS hardening from this PR is now folded into #1494 (which already touches the same example files for localhost binding).

#1494 now also restricts demo CORS to loopback by default (configurable via MCP_CORS_ORIGIN_REGEX).