gh-135056: Add a --header CLI argument to http.server

[aisipos]

As proposed in #135056, Add a --cors command line argument to the stdlib http.server module, which will add an Access-Control-Allow-Origin: * header to all responses.

Invocation:

python -m http.server --cors

As part of this implementation, add a response_headers argument to SimpleHTTPRequestHandler and HTTPServer, which allows callers to add addition headers to the response. Ideally it would have been possible to just have made a CorsHttpServer class, but a couple of issues made that difficult:

• The http.server CLI uses more than one HTTP Server class, in order to support TLS/HTTPS. So a single CorsHttpServer child class wouldn't work to support both use cases.
• Much of the work in specifying HTTP behavior is handled by the various RequestHandler classes. However, the HttpServer classes didn't have an easy way to pass arguments down into the instantiated handlers.

As a result, this PR updates both HTTPServer and SimpleHTTPRequestHandler to accept a response_headers argument, which allows callers to specify an additional set of HTTP headers to pass in the response.

• HTTPServer now overrides finish_request to pass this new kwarg down to its RequestHandler.
• SimpleHTTPRequestHandler now accepts a resposnse_headers kwarg, to optionally specify a dictionary of additional headers to send in the response.

Care is taken to not pass the response_headers argument to any instance constructors when not provided, to ensure backwards compatibility. I tried to keep the implementation as short and simple as possible.

With the addition of a response_headers argument, we allow ourselves to have a future possible custom header http argument, such as:

python -m http.server -H 'custom-header: custom-value'

• Issue: Add a --cors command line option to stdlib http.server #135056

---

📚 Documentation preview 📚: https://cpython-previews--135057.org.readthedocs.build/

[python-cla-bot]

All commit authors signed the Contributor License Agreement.

[bedevere-app]

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

[hugovk]

(I'd prefer a general headers option, but will comment on the issue or Discourse topic)

[aisipos]

test_wsgiref is failing. I'll look into it.

[aisipos]

test_wsgiref fixed in a3256fd. This should fix any backwards incompatibility errors erroneously introduced in the first commit.

[donbarbos]

I think it's worth adding to this What's New entry (./Doc/whatsnew/3.15.rst)

[Zheaoli]

For me, I don't think add --cors CLI argument would be a good idea. Base on following reasons:

1. The CORS policy is a complicated idea. Six response headers are included by the word(If I'm correct). If you set the Access-Control-Allow-Origin, and now the people may need Access-Control-Allow-Methods( Allow for OPTION method). What is the next argument we need to add?
2. The CLI for http.server is just for a debug target. So we design the CLI as simple as we can. The developer don't need to care about any extra detail when they run just a simple debug server.
3. if we need CORS policy in the future. I suggest we setup all the header for developer and don't need to add cli for it.

[hugovk]

@Zheaoli Please comment in the discussion thread: https://discuss.python.org/t/any-interest-in-adding-a-cors-option-to-python-m-http-server/92120.

[hugovk]

(I'd prefer a general headers option, but will comment on the issue or Discourse topic)

https://discuss.python.org/t/any-interest-in-adding-a-cors-option-to-python-m-http-server/92120/24

[picnixz]

I'm not very fond of how the HTTP server class is growing more and more with more __init__ parameters, but I don't have a better idea for now. Maybe a generic configuration object but this would be an overkill for this class in particular I think.

[picnixz]

As Hugo said, since we're anyway exposing response-headers, I think we should also expose it from the CLI. It could be useful for users in general (e.g., --add-header NAME VALUE with the -H alias).

[picnixz]

Let's also update What's New/3.15.rst

[aisipos]

I used blurb to make this entry in NEWS.d, not knowing when it's appropriate to edit the main 3.15.rst file. I think once we know if we're doing --cors / --header , or both, I can make the appropriate update to What's New/3.15.rst

[picnixz]

Suggested change

	password=None, alpn_protocols=None, response_headers=None):
	password=None, alpn_protocols=None, **http_server_kwargs):

And pass http_server_kwargs to super()

[picnixz]

Suggested change

	args = (request, client_address, self)
	kwargs = {}
	response_headers = getattr(self, 'response_headers', None)
	if response_headers:
	kwargs['response_headers'] = self.response_headers
	self.RequestHandlerClass(*args, **kwargs)
	kwargs = {}
	if hasattr(self, 'response_headers'):
	kwargs['response_headers'] = self.response_headers
	self.RequestHandlerClass(request, client_address, self, **kwargs)

[aisipos]

@picnixz I made this requested change in 77b5fff. Note though that now HTTPServer will pass response_headers to the RequestHandler class even if response_headers is None or {}. Most RequestHandler implementation constructor implementations don't take this argument, so in order for this to work I added **kwargs as an argument to BaseRequestHandler.__init__. My earlier implementation was trying to prevent this, to keep any changes to only http/server.py and not need to touch anything in socketserver.py. Perhaps the **kwargs addition is ok, or I'm open to other solutions if we can think of better ones.

[picnixz]

Suggested change

	def __init__(self, *args, directory=None, response_headers=None, **kwargs):
	if directory is None:
	directory = os.getcwd()
	self.directory = os.fspath(directory)
	self.response_headers = response_headers or {}
	def __init__(self, *args, directory=None, response_headers=None, **kwargs):
	if directory is None:
	directory = os.getcwd()
	self.directory = os.fspath(directory)
	self.response_headers = response_headers

You're already checking for is not None later

[picnixz]

Suggested change

	tls_cert=None, tls_key=None, tls_password=None, response_headers=None):
	tls_cert=None, tls_key=None, tls_password=None,
	response_headers=None):

Let's group the parameters per purpose

[picnixz]

Suggested change

	handler_args = (request, client_address, self)
	handler_kwargs = dict(directory=args.directory)
	if self.response_headers:
	handler_kwargs['response_headers'] = self.response_headers
	self.RequestHandlerClass(*handler_args, **handler_kwargs)
	self.RequestHandlerClass(request, client_address, self,
	directory=args.directory,
	response_headers=self.response_headers)

[picnixz]

You must also modify create_https_server appropriately

[picnixz]

Suggested change

	server_kwargs = dict(
	response_headers = {'Access-Control-Allow-Origin': '*'}
	)
	server_kwargs = {
	'response_headers': {'Access-Control-Allow-Origin': '*'}
	}

[picnixz]

Suggested change

	def test_cors(self):
	def test_cors(self):

[aisipos]

@picnixz I have made all your suggested changes in 77b5fff . I have also implemented a generic -H or --header cli argument in 5f89c97. Now this PR contains both --cors and --header. I don't know if we want both, there doesn't seem to yet be consensus on what we prefer, although Core devs so far seem to lean on just --header.

[hugovk]

I think we should just have --header, as that unlocks the ability to enable CORS. We can still add --cors later if there's demand and consensus.

[hugovk]

And what are your thoughts on positional args like HTTPie?

https://discuss.python.org/t/any-interest-in-adding-a-cors-option-to-python-m-http-server/92120/24

[vadmium]

Isn’t this redundant with the entry already under the constructor heading?

[aisipos]

Perhaps - it seems the constructor documentation is used to make a brief mention of each argument and when it was added, with more detail being filled in later. My latest commits make several changes requested elsewhere for other reasons, but if the current version is still too redundant in multiple places I can make some more edits.

[picnixz]

I don't think we should add this information. There is no notion of an "instance argument": it should rather be an instance attribute, and this should be documented through a .. attribute::, below .. attribute:: extensions_map

[vadmium]

Why not do this the same way the --directory or --protocol options are implemented? Either way should avoid adding internal parameters to unrelated HTTPServer and BaseRequestHandler classes.

You could build the response_headers dictionary before the DualStackServerMixin class, and then pass it by referencing the outer scope like is already done with args.directory:

Suggested change

	response_headers=self.response_headers)
	response_headers=response_headers)

Or set the response_headers attribute on the SimpleHTTPRequestHandler class rather than in its constructor, like is done for protocol_verison in the test function.

[aisipos]

I followed your advice, see b1026d2. I made response_headers an argument to SimpleHTTPRequestHandler only, and send the argument to it in the DualStackServerMixin class.

[vadmium]

In previous versions, this was not a valid parameter at all.

Suggested change

	The *response_headers* parameter accepts an optional dictionary of
	Added *response_headers*, which accepts an optional dictionary of

Also, did you consider accepting a list or iterable of (name, value) pairs instead, like returned by http.client.HTTPResponse.getheaders? That would be better for sending multiple Set-Cookie fields.

[aisipos]

Ah yes, sending multiple headers of the same name would indeed be necessary. I updated to use an iterable of name value pairs instead in 7a793f2

[vadmium]

Might be worth clarifying how these fields interact with other fields such as Server specified under BaseHTTPRequestHandler.send_response, and Last-Modified under do_GET.

Also clarify which responses the fields are included in, assuming it wasn’t your intention to include them for 404 Not Found, 304 Not Modified, lower-level errors, etc.

[aisipos]

In the latest commits, I've noted that the custom headers are only sent in success cases. What do you mean by interaction though? The custom headers currently get sent after Last-Modified, should I mention the placement of the custom headers and that they appear after Last-Modified?

[vadmium]

Or is moving this to an extended send_response override an option? That way you would include the fields for all responses.

[vadmium]

Clarify as an internal private attribute:

Suggested change

	self.response_headers = response_headers
	self._response_headers = response_headers

Or document SimpleHTTPRequestHandler.response_headers as a public attribute.

[aisipos]

So far I have intended response_headers to be a public attribute. Do you mean add documentation to the docstring of SimpleHTTPRequestHandler or more documentation in Doc/library/http.server.rst?

[vadmium]

This appears to only be testing the undocumented or internal HTTPServer parameter. It would be good to test the new documented SimpleHTTPRequestHandler parameter instead or as well.

[aisipos]

I have removed server_kwargs in the latest updates, and updated the tests. The only external change now is response_headers as an instance arg to SimpleHTTPRequestHandler

[aisipos]

Btw, sorry for updating the branch like that but I wanted to update it to the state I wanted. And then I thought about multiple requests and the problem of having the headers list growing... Can you add a test for that as well to avoid duplicated headers and to be sure that headers are updated accordingly?

@picnixz The new attributes are on the request handler, shouldn't a new request handler be made on each request, so the instances shouldn't be shared on concurrent requests? I did make a test that makes 8 threads to make 8 concurrent requests, and asserts the response headers aren't duplicated. See commit 280cea3

[picnixz]

In seend_request() there is a while loop so I was worried about that.

[aisipos]

Also the new test is leaking some resources causing it to break, I'll fix but will have to look at it tomorrow.

[aisipos]

@hugovk It seems there was a transient failure (I think?) of Github actions communicating to Ubuntu PPAs, and many of the test runs just failed in this PR. Can you manually re-run the tests please?

[hugovk]

Restarted! Canonical/Ubuntu are having some issues:

https://status.canonical.com/

[aisipos]

@hugovk Sorry to ask again, I think we restarted the tests before the Canonical outage ended. All the Ubuntu tests failed again with PPA problems. Would you mind running the tests again?

Looks like it might still be down, Canonical is under a massive attack. I guess I'll keep an eye on the situation and reach out once things are ready again.

[hugovk]

I've merged in main to include this workaround: #149248.

[aisipos]

@picnixz OK, all tests are passing now. The new test test_extra_response_headers_concurrent_requests tests that the headers are correct in the case of concurrent requests, although I suspect it's not testing everything you're concerned about. Still, it's very close to the merge deadline for the 3.15 beta - would be good to get this merged shortly if you agree.

[picnixz]

Thanks for adding the tests. I don't remember if I asked but:

• L797: we are not sending additional headers for MOVED_PERMANENTLY
• L847: neither are we for NOT_MODIFIED

I don't think it's important that custom headers are sent in the above cases but I wanted to note them down. I think we can merge this and then we'll just fix the issues during the beta.

[picnixz]

Did we consider using not hasattr(...) check as for _headers_buffer? it's mostly for a follow-up/refactoring. If we go that path, we would remove the _default_response_headers = [] in handle() and put it in flush_headers() instead, right? It would re-construct the default_response_headers for each request but this also mean that if a request does (in the future) send_header(..., is_extra=True), that is_extra is "local" to the current request and won't pollute next requests. For now it doesn't matter though but I'll write it here to remember.

[aisipos]

I actually didn't look at the pattern used for _headers_buffer. For consistency and correctness, yes it does seem like the right thing to do it that way. I've made that change in 597b973.

[picnixz]

One minor comment on the test because threaded stuff can fail badly on buildbots. But we can address it later.

[picnixz]

Ah, maybe this can hang. I don't know if this test was written as for other tests, but this may hang in some build bots. The server_thread.join call below should be added as a finalizer just in case. And we should have a short timeout before aborting the thread.

[aisipos]

Ok, I added some addCleanup calls in c40f8b1 to help prevent a hang. If you think there's still a risk of the test hanging, I can just remove the test for now until we come up with a better idea.

[aisipos]

I still saw some resource leaking, so I just ended up removing test_extra_response_headers_concurrent_requests in 347b968 . We can add a more robust test later if need be, but I didn't want to leave a flaky test in that risked breaking.

After that checkin, there was still an env changed leakage in a windows build. I refactored a different test test_extra_response_headers_arg in a249eea to not create a server and thus also less likely to leak. After that checkin, all tests are passing.

[aisipos]

@hugovk @picnixz Thanks everyone for the help. OK, after adjusting the tests a little in the last commits all tests are passing (and not leaking) again. Is there anything left to do, or is this PR now ready to merge?

[picnixz]

I will run tje build bots to see if tests are hangijg somehoe ans then I will merge. Come back in a few hours to check but do not commit anything or update the branch meanwhile

[bedevere-bot]

🤖 New build scheduled with the buildbot fleet by @picnixz for commit a249eea 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F135057%2Fmerge

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

[picnixz]

Ok, so we still have some file leakge but I don't think it's coming from you in particular. We can fix this is in a follow-up. Other failures are unrelated.

[hugovk]

@aisipos Thank you for your contribution!

[picnixz]

Thank you for the PR! It was not straightforward, so thank you for your patience! We will fix bugs or other incompatibilities during the beta (but for that we need people testing the interface)