Duplicate  access-control-allow-origin in response header

I’m integrating the GitHub MCP into an Electron app using @modelcontextprotocol/sdk. When the transport type is set to http, the request triggers a CORS exception.

Happy holidays and thanks for the great work you do all year—really appreciate it!

## Request log

```http

Request URL: https://api.githubcopilot.com/mcp/
Request Method: POST
Status Code: 200 OK

access-control-allow-headers: Content-Type, Authorization, X-MCP-Readonly, X-MCP-Toolsets, Mcp-Session-Id
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-origin: *
access-control-allow-origin: *
date:Fri, 26 Dec 2025 03:42:49 GMT
mcp-session-id:5187b67a-987f-4bcb-b1f2-bee4da140384
x-github-backend:Kubernetes
x-github-request-id:34FF:57BDD:69DD0:92447:694E0439

```

## CURL  reproduce

<img width="1166" height="663" alt="Image" src="https://github.com/user-attachments/assets/b3587d18-748d-480c-b732-174b46ae0abd" />

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Duplicate access-control-allow-origin in response header #1688

Request log

CURL reproduce

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Duplicate access-control-allow-origin in response header #1688

Description

Request log

CURL reproduce

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions