cors-test-safety-2026-05-20
CORS allowlist test helper accepts any origin when test-origin header is absent — coverage gap
The CORS test helper in the MCP server validates the allowlist only when a test-origin header is present in the request. If the header is absent the check is skipped entirely, so the test suite passes even with a misconfigured allowlist. Real clients do not send this header, so the coverage gap is invisible in CI.
Evidence
crates/mcp-server/src/jsonrpc_cors_tests.rs — guard condition on test-origin header means absent header == no validation. Identified in review of leighstillard:fix/cors-allowlist (PR #2266).