gh-135056: Add a --cors CLI argument to http.server #135057
Conversation
|
All commit authors signed the Contributor License Agreement. |
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
Add a --cors command line argument to the stdlib http.server module, which will add an `Access-Control-Allow-Origin: *` header to all responses. As part of this implementation, add a `response_headers` argument to SimpleHTTPRequestHandler and HttpServer, which allows callers to add addition headers to the response.
3f11652 to
0d02fbe
Compare
Misc/NEWS.d/next/Library/2025-06-02-22-23-38.gh-issue-135056.yz3dSs.rst
Outdated
Show resolved
Hide resolved
Misc/NEWS.d/next/Library/2025-06-02-22-23-38.gh-issue-135056.yz3dSs.rst
Outdated
Show resolved
Hide resolved
|
|
This fixes the breakage to HttpServer as used by wsgiref.
|
test_wsgiref fixed in a3256fd. This should fix any backwards incompatibility errors erroneously introduced in the first commit. |
|
I think it's worth adding to this |
|
For me, I don't think add
|
|
@Zheaoli Please comment in the discussion thread: https://discuss.python.org/t/any-interest-in-adding-a-cors-option-to-python-m-http-server/92120. |
https://discuss.python.org/t/any-interest-in-adding-a-cors-option-to-python-m-http-server/92120/24 |
| @@ -543,6 +553,14 @@ The following options are accepted: | |||
|
|
|||
| .. versionadded:: 3.14 | |||
|
|
|||
| .. option:: --cors | |||
There was a problem hiding this comment.
As Hugo said, since we're anyway exposing response-headers, I think we should also expose it from the CLI. It could be useful for users in general (e.g., --add-header NAME VALUE with the -H alias).
| @@ -0,0 +1,2 @@ | |||
| Add a ``--cors`` cli option to :program:`python -m http.server`. Contributed by | |||
There was a problem hiding this comment.
Let's also update What's New/3.15.rst
| @@ -132,7 +144,7 @@ class ThreadingHTTPServer(socketserver.ThreadingMixIn, HTTPServer): | |||
| class HTTPSServer(HTTPServer): | |||
| def __init__(self, server_address, RequestHandlerClass, | |||
| bind_and_activate=True, *, certfile, keyfile=None, | |||
| password=None, alpn_protocols=None): | |||
| password=None, alpn_protocols=None, response_headers=None): | |||
There was a problem hiding this comment.
| password=None, alpn_protocols=None, response_headers=None): | |
| password=None, alpn_protocols=None, **http_server_kwargs): |
And pass http_server_kwargs to super()
| args = (request, client_address, self) | ||
| kwargs = {} | ||
| response_headers = getattr(self, 'response_headers', None) | ||
| if response_headers: | ||
| kwargs['response_headers'] = self.response_headers | ||
| self.RequestHandlerClass(*args, **kwargs) |
There was a problem hiding this comment.
| args = (request, client_address, self) | |
| kwargs = {} | |
| response_headers = getattr(self, 'response_headers', None) | |
| if response_headers: | |
| kwargs['response_headers'] = self.response_headers | |
| self.RequestHandlerClass(*args, **kwargs) | |
| kwargs = {} | |
| if hasattr(self, 'response_headers'): | |
| kwargs['response_headers'] = self.response_headers | |
| self.RequestHandlerClass(request, client_address, self, **kwargs) |
| def __init__(self, *args, directory=None, response_headers=None, **kwargs): | ||
| if directory is None: | ||
| directory = os.getcwd() | ||
| self.directory = os.fspath(directory) | ||
| self.response_headers = response_headers or {} |
There was a problem hiding this comment.
| def __init__(self, *args, directory=None, response_headers=None, **kwargs): | |
| if directory is None: | |
| directory = os.getcwd() | |
| self.directory = os.fspath(directory) | |
| self.response_headers = response_headers or {} | |
| def __init__(self, *args, directory=None, response_headers=None, **kwargs): | |
| if directory is None: | |
| directory = os.getcwd() | |
| self.directory = os.fspath(directory) | |
| self.response_headers = response_headers |
You're already checking for is not None later
| @@ -970,7 +991,7 @@ def _get_best_family(*address): | |||
| def test(HandlerClass=BaseHTTPRequestHandler, | |||
| ServerClass=ThreadingHTTPServer, | |||
| protocol="HTTP/1.0", port=8000, bind=None, | |||
| tls_cert=None, tls_key=None, tls_password=None): | |||
| tls_cert=None, tls_key=None, tls_password=None, response_headers=None): | |||
There was a problem hiding this comment.
| tls_cert=None, tls_key=None, tls_password=None, response_headers=None): | |
| tls_cert=None, tls_key=None, tls_password=None, | |
| response_headers=None): |
Let's group the parameters per purpose
| handler_args = (request, client_address, self) | ||
| handler_kwargs = dict(directory=args.directory) | ||
| if self.response_headers: | ||
| handler_kwargs['response_headers'] = self.response_headers | ||
| self.RequestHandlerClass(*handler_args, **handler_kwargs) |
There was a problem hiding this comment.
| handler_args = (request, client_address, self) | |
| handler_kwargs = dict(directory=args.directory) | |
| if self.response_headers: | |
| handler_kwargs['response_headers'] = self.response_headers | |
| self.RequestHandlerClass(*handler_args, **handler_kwargs) | |
| self.RequestHandlerClass(request, client_address, self, | |
| directory=args.directory, | |
| response_headers=self.response_headers) |
| @@ -95,7 +96,8 @@ def run(self): | |||
| request_handler=self.request_handler, | |||
| ) | |||
| else: | |||
| self.server = HTTPServer(('localhost', 0), self.request_handler) | |||
| self.server = HTTPServer(('localhost', 0), self.request_handler, | |||
There was a problem hiding this comment.
You must also modify create_https_server appropriately
| server_kwargs = dict( | ||
| response_headers = {'Access-Control-Allow-Origin': '*'} | ||
| ) |
There was a problem hiding this comment.
| server_kwargs = dict( | |
| response_headers = {'Access-Control-Allow-Origin': '*'} | |
| ) | |
| server_kwargs = { | |
| 'response_headers': {'Access-Control-Allow-Origin': '*'} | |
| } |
| server_kwargs = dict( | ||
| response_headers = {'Access-Control-Allow-Origin': '*'} | ||
| ) | ||
| def test_cors(self): |
There was a problem hiding this comment.
| def test_cors(self): | |
| def test_cors(self): |
As proposed in #135056, Add a --cors command line argument to the stdlib http.server module, which will add an
Access-Control-Allow-Origin: *header to all responses.Invocation:
As part of this implementation, add a
response_headersargument toSimpleHTTPRequestHandlerandHTTPServer, which allows callers to add addition headers to the response. Ideally it would have been possible to just have made aCorsHttpServerclass, but a couple of issues made that difficult:http.serverCLI uses more than one HTTP Server class, in order to support TLS/HTTPS. So a single CorsHttpServer child class wouldn't work to support both use cases.RequestHandlerclasses. However, theHttpServerclasses didn't have an easy way to pass arguments down into the instantiated handlers.As a result, this PR updates both
HTTPServerandSimpleHTTPRequestHandlerto accept aresponse_headersargument, which allows callers to specify an additional set of HTTP headers to pass in the response.HTTPServernow overridesfinish_requestto pass this new kwarg down to itsRequestHandler.SimpleHTTPRequestHandlernow accepts aresposnse_headerskwarg, to optionally specify a dictionary of additional headers to send in the response.Care is taken to not pass the
response_headersargument to any instance constructors when not provided, to ensure backwards compatibility. I tried to keep the implementation as short and simple as possible.With the addition of a
response_headersargument, we allow ourselves to have a future possible custom header http argument, such as:📚 Documentation preview 📚: https://cpython-previews--135057.org.readthedocs.build/