Fix: POST response carries Access-Control-Allow-Origin
Web-audit fix skill for the
mcp-cors-actualcheck (MCP & API, SHOULD).
Goal
Echo Access-Control-Allow-Origin on the actual MCP POST response.
Fix
Echo Access-Control-Allow-Origin on the actual POST response, not only on the preflight. A browser blocks the response body when the header is absent even if the preflight passed. Omit it deliberately only if browser-origin agents are not a supported client.
Resources
Copy-paste prompt
Paste this into your coding agent, replacing the Issue line with the Result line from your audit:
Verify
Re-run the audit at https://anc.dev/web-audit or call the audit_website MCP tool; the mcp-cors-actual check should report pass.