Skip to content

Elicitation: clarify clickable URL language #1811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pcarleton merged 1 commit into from
Nov 13, 2025
Merged

Elicitation: clarify clickable URL language #1811

pcarleton merged 1 commit into from
Nov 13, 2025

Conversation

@nbarbettini
Copy link
Contributor

@nbarbettini nbarbettini commented Nov 13, 2025
edited
Loading

Motivation and Context

Fast-follow to #887 to address a spec language clarification discussed with @pcarleton.

How Has This Been Tested?

N/A

Breaking Changes

N/A

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

nbarbettini
nbarbettini commented Nov 13, 2025
View reviewed changes
docs/specification/draft/client/elicitation.mdx
Comment on lines -704 to -705
1. **MUST NOT** include plain text sensitive information about the end-user, including credentials, personal identifiable information, etc., in the URL sent to the client.
1. **MUST NOT** provide a URL which is pre-authenticated to access a protected resource, as the URL could be used to impersonate the user by a malicious client.
Copy link
Contributor Author

@nbarbettini nbarbettini Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These two MUSTs did not change substantively

docs/specification/draft/client/elicitation.mdx
Comment on lines -702 to -703
1. **MUST NOT** include URLs in any message or schema fields as part of a form mode elicitation request.
1. **MUST NOT** include URLs in any message or schema fields as part of an URL mode elicitation request, except for the `url` field.
Copy link
Contributor Author

@nbarbettini nbarbettini Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed these two MUSTs in favor of a SHOULD

docs/specification/draft/client/elicitation.mdx
1. **SHOULD** use HTTPS URLs for non-development environments.
1. **MUST NOT** include sensitive information about the end-user, including credentials, personal identifiable information, etc., in the URL sent to the client in a URL elicitation request.
2. **MUST NOT** provide a URL which is pre-authenticated to access a protected resource, as the URL could be used to impersonate the user by a malicious client.
3. **SHOULD NOT** include URLs intended to be clickable in any field of a form mode elicitation request.
Copy link
Contributor Author

@nbarbettini nbarbettini Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added this SHOULD - still worth calling out IMO, but I think for conformance purposes it can be a SHOULD and doesn't need to be a failing case.

@nbarbettini nbarbettini marked this pull request as ready for review November 13, 2025 15:08
@nbarbettini nbarbettini requested a review from a team as a code owner November 13, 2025 15:08
pcarleton
pcarleton approved these changes Nov 13, 2025
View reviewed changes
Copy link
Member

@pcarleton pcarleton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome lgtm

@pcarleton pcarleton merged commit d631c86 into modelcontextprotocol:main Nov 13, 2025
2 checks passed
@nbarbettini nbarbettini deleted the elicitation-followup branch November 13, 2025 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pcarleton pcarleton pcarleton approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nbarbettini @pcarleton