gh-135056: Add a --cors CLI argument to http.server #135057
Conversation
|
All commit authors signed the Contributor License Agreement. |
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
Add a --cors command line argument to the stdlib http.server module, which will add an `Access-Control-Allow-Origin: *` header to all responses. As part of this implementation, add a `response_headers` argument to SimpleHTTPRequestHandler and HttpServer, which allows callers to add addition headers to the response.
3f11652 to
0d02fbe
Compare
Misc/NEWS.d/next/Library/2025-06-02-22-23-38.gh-issue-135056.yz3dSs.rst
Outdated
Show resolved
Hide resolved
Misc/NEWS.d/next/Library/2025-06-02-22-23-38.gh-issue-135056.yz3dSs.rst
Outdated
Show resolved
Hide resolved
|
|
This fixes the breakage to HttpServer as used by wsgiref.
|
test_wsgiref fixed in a3256fd. This should fix any backwards incompatibility errors erroneously introduced in the first commit. |
|
I think it's worth adding to this |
|
For me, I don't think add
|
|
@Zheaoli Please comment in the discussion thread: https://discuss.python.org/t/any-interest-in-adding-a-cors-option-to-python-m-http-server/92120. |
https://discuss.python.org/t/any-interest-in-adding-a-cors-option-to-python-m-http-server/92120/24 |
| @@ -543,6 +553,14 @@ The following options are accepted: | |||
|
|
|||
| .. versionadded:: 3.14 | |||
|
|
|||
| .. option:: --cors | |||
There was a problem hiding this comment.
As Hugo said, since we're anyway exposing response-headers, I think we should also expose it from the CLI. It could be useful for users in general (e.g., --add-header NAME VALUE with the -H alias).
| @@ -0,0 +1,2 @@ | |||
| Add a ``--cors`` cli option to :program:`python -m http.server`. Contributed by | |||
There was a problem hiding this comment.
Let's also update What's New/3.15.rst
There was a problem hiding this comment.
I used blurb to make this entry in NEWS.d, not knowing when it's appropriate to edit the main 3.15.rst file. I think once we know if we're doing --cors / --header , or both, I can make the appropriate update to What's New/3.15.rst
Lib/http/server.py
Outdated
| @@ -132,7 +144,7 @@ class ThreadingHTTPServer(socketserver.ThreadingMixIn, HTTPServer): | |||
| class HTTPSServer(HTTPServer): | |||
| def __init__(self, server_address, RequestHandlerClass, | |||
| bind_and_activate=True, *, certfile, keyfile=None, | |||
| password=None, alpn_protocols=None): | |||
| password=None, alpn_protocols=None, response_headers=None): | |||
There was a problem hiding this comment.
| password=None, alpn_protocols=None, response_headers=None): | |
| password=None, alpn_protocols=None, **http_server_kwargs): |
And pass http_server_kwargs to super()
Lib/http/server.py
Outdated
| args = (request, client_address, self) | ||
| kwargs = {} | ||
| response_headers = getattr(self, 'response_headers', None) | ||
| if response_headers: | ||
| kwargs['response_headers'] = self.response_headers | ||
| self.RequestHandlerClass(*args, **kwargs) |
There was a problem hiding this comment.
| args = (request, client_address, self) | |
| kwargs = {} | |
| response_headers = getattr(self, 'response_headers', None) | |
| if response_headers: | |
| kwargs['response_headers'] = self.response_headers | |
| self.RequestHandlerClass(*args, **kwargs) | |
| kwargs = {} | |
| if hasattr(self, 'response_headers'): | |
| kwargs['response_headers'] = self.response_headers | |
| self.RequestHandlerClass(request, client_address, self, **kwargs) |
There was a problem hiding this comment.
@picnixz I made this requested change in 77b5fff. Note though that now HTTPServer will pass response_headers to the RequestHandler class even if response_headers is None or {}. Most RequestHandler implementation constructor implementations don't take this argument, so in order for this to work I added **kwargs as an argument to BaseRequestHandler.__init__. My earlier implementation was trying to prevent this, to keep any changes to only http/server.py and not need to touch anything in socketserver.py. Perhaps the **kwargs addition is ok, or I'm open to other solutions if we can think of better ones.
Lib/http/server.py
Outdated
| def __init__(self, *args, directory=None, response_headers=None, **kwargs): | ||
| if directory is None: | ||
| directory = os.getcwd() | ||
| self.directory = os.fspath(directory) | ||
| self.response_headers = response_headers or {} |
There was a problem hiding this comment.
| def __init__(self, *args, directory=None, response_headers=None, **kwargs): | |
| if directory is None: | |
| directory = os.getcwd() | |
| self.directory = os.fspath(directory) | |
| self.response_headers = response_headers or {} | |
| def __init__(self, *args, directory=None, response_headers=None, **kwargs): | |
| if directory is None: | |
| directory = os.getcwd() | |
| self.directory = os.fspath(directory) | |
| self.response_headers = response_headers |
You're already checking for is not None later
Lib/http/server.py
Outdated
| @@ -970,7 +991,7 @@ def _get_best_family(*address): | |||
| def test(HandlerClass=BaseHTTPRequestHandler, | |||
| ServerClass=ThreadingHTTPServer, | |||
| protocol="HTTP/1.0", port=8000, bind=None, | |||
| tls_cert=None, tls_key=None, tls_password=None): | |||
| tls_cert=None, tls_key=None, tls_password=None, response_headers=None): | |||
There was a problem hiding this comment.
| tls_cert=None, tls_key=None, tls_password=None, response_headers=None): | |
| tls_cert=None, tls_key=None, tls_password=None, | |
| response_headers=None): |
Let's group the parameters per purpose
Lib/http/server.py
Outdated
| handler_args = (request, client_address, self) | ||
| handler_kwargs = dict(directory=args.directory) | ||
| if self.response_headers: | ||
| handler_kwargs['response_headers'] = self.response_headers | ||
| self.RequestHandlerClass(*handler_args, **handler_kwargs) |
There was a problem hiding this comment.
| handler_args = (request, client_address, self) | |
| handler_kwargs = dict(directory=args.directory) | |
| if self.response_headers: | |
| handler_kwargs['response_headers'] = self.response_headers | |
| self.RequestHandlerClass(*handler_args, **handler_kwargs) | |
| self.RequestHandlerClass(request, client_address, self, | |
| directory=args.directory, | |
| response_headers=self.response_headers) |
| @@ -95,7 +96,8 @@ def run(self): | |||
| request_handler=self.request_handler, | |||
| ) | |||
| else: | |||
| self.server = HTTPServer(('localhost', 0), self.request_handler) | |||
| self.server = HTTPServer(('localhost', 0), self.request_handler, | |||
There was a problem hiding this comment.
You must also modify create_https_server appropriately
Lib/test/test_httpservers.py
Outdated
| server_kwargs = dict( | ||
| response_headers = {'Access-Control-Allow-Origin': '*'} | ||
| ) |
There was a problem hiding this comment.
| server_kwargs = dict( | |
| response_headers = {'Access-Control-Allow-Origin': '*'} | |
| ) | |
| server_kwargs = { | |
| 'response_headers': {'Access-Control-Allow-Origin': '*'} | |
| } |
| server_kwargs = dict( | ||
| response_headers = {'Access-Control-Allow-Origin': '*'} | ||
| ) | ||
| def test_cors(self): |
There was a problem hiding this comment.
| def test_cors(self): | |
| def test_cors(self): |
3024d3d to
5f89c97
Compare
|
@picnixz I have made all your suggested changes in 77b5fff . I have also implemented a generic |
|
I think we should just have |
|
And what are your thoughts on positional args like HTTPie? https://discuss.python.org/t/any-interest-in-adding-a-cors-option-to-python-m-http-server/92120/24 |
| @@ -437,6 +444,9 @@ instantiation, of which this module provides three different variants: | |||
| .. versionchanged:: 3.7 | |||
| Support of the ``'If-Modified-Since'`` header. | |||
|
|
|||
| .. versionchanged:: next | |||
| Support ``response_headers`` as an instance argument. | |||
There was a problem hiding this comment.
Isn’t this redundant with the entry already under the constructor heading?
| @@ -1052,14 +1081,21 @@ def server_bind(self): | |||
|
|
|||
| def finish_request(self, request, client_address): | |||
| self.RequestHandlerClass(request, client_address, self, | |||
| directory=args.directory) | |||
| directory=args.directory, | |||
| response_headers=self.response_headers) | |||
There was a problem hiding this comment.
Why not do this the same way the --directory or --protocol options are implemented? Either way should avoid adding internal parameters to unrelated HTTPServer and BaseRequestHandler classes.
You could build the response_headers dictionary before the DualStackServerMixin class, and then pass it by referencing the outer scope like is already done with args.directory:
| response_headers=self.response_headers) | |
| response_headers=response_headers) |
Or set the response_headers attribute on the SimpleHTTPRequestHandler class rather than in its constructor, like is done for protocol_verison in the test function.
| @@ -374,6 +374,10 @@ instantiation, of which this module provides three different variants: | |||
| .. versionchanged:: 3.9 | |||
| The *directory* parameter accepts a :term:`path-like object`. | |||
|
|
|||
| .. versionchanged:: next | |||
| The *response_headers* parameter accepts an optional dictionary of | |||
There was a problem hiding this comment.
In previous versions, this was not a valid parameter at all.
| The *response_headers* parameter accepts an optional dictionary of | |
| Added *response_headers*, which accepts an optional dictionary of |
Also, did you consider accepting a list or iterable of (name, value) pairs instead, like returned by http.client.HTTPResponse.getheaders? That would be better for sending multiple Set-Cookie fields.
| @@ -374,6 +374,10 @@ instantiation, of which this module provides three different variants: | |||
| .. versionchanged:: 3.9 | |||
| The *directory* parameter accepts a :term:`path-like object`. | |||
|
|
|||
| .. versionchanged:: next | |||
| The *response_headers* parameter accepts an optional dictionary of | |||
| additional HTTP headers to add to each response. | |||
There was a problem hiding this comment.
Might be worth clarifying how these fields interact with other fields such as Server specified under BaseHTTPRequestHandler.send_response, and Last-Modified under do_GET.
Also clarify which responses the fields are included in, assuming it wasn’t your intention to include them for 404 Not Found, 304 Not Modified, lower-level errors, etc.
| if self.response_headers is not None: | ||
| for header, value in self.response_headers.items(): | ||
| self.send_header(header, value) |
There was a problem hiding this comment.
Or is moving this to an extended send_response override an option? That way you would include the fields for all responses.
| if directory is None: | ||
| directory = os.getcwd() | ||
| self.directory = os.fspath(directory) | ||
| self.response_headers = response_headers |
There was a problem hiding this comment.
Clarify as an internal private attribute:
| self.response_headers = response_headers | |
| self._response_headers = response_headers |
Or document SimpleHTTPRequestHandler.response_headers as a public attribute.
| ) | ||
| else: | ||
| self.server = HTTPServer(('localhost', 0), self.request_handler) | ||
| self.server = HTTPServer(('localhost', 0), self.request_handler, | ||
| **self.server_kwargs) |
There was a problem hiding this comment.
This appears to only be testing the undocumented or internal HTTPServer parameter. It would be good to test the new documented SimpleHTTPRequestHandler parameter instead or as well.
As proposed in #135056, Add a --cors command line argument to the stdlib http.server module, which will add an
Access-Control-Allow-Origin: *header to all responses.Invocation:
As part of this implementation, add a
response_headersargument toSimpleHTTPRequestHandlerandHTTPServer, which allows callers to add addition headers to the response. Ideally it would have been possible to just have made aCorsHttpServerclass, but a couple of issues made that difficult:http.serverCLI uses more than one HTTP Server class, in order to support TLS/HTTPS. So a single CorsHttpServer child class wouldn't work to support both use cases.RequestHandlerclasses. However, theHttpServerclasses didn't have an easy way to pass arguments down into the instantiated handlers.As a result, this PR updates both
HTTPServerandSimpleHTTPRequestHandlerto accept aresponse_headersargument, which allows callers to specify an additional set of HTTP headers to pass in the response.HTTPServernow overridesfinish_requestto pass this new kwarg down to itsRequestHandler.SimpleHTTPRequestHandlernow accepts aresposnse_headerskwarg, to optionally specify a dictionary of additional headers to send in the response.Care is taken to not pass the
response_headersargument to any instance constructors when not provided, to ensure backwards compatibility. I tried to keep the implementation as short and simple as possible.With the addition of a
response_headersargument, we allow ourselves to have a future possible custom header http argument, such as:📚 Documentation preview 📚: https://cpython-previews--135057.org.readthedocs.build/