Skip to content

gh-135056: Add a --cors CLI argument to http.server #135057

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

gh-135056: Add a --cors CLI argument to http.server #135057

wants to merge 3 commits into from
+87 −12

Conversation

aisipos
Copy link

@aisipos aisipos commented Jun 3, 2025
edited by github-actions bot
Loading

As proposed in #135056, Add a --cors command line argument to the stdlib http.server module, which will add an Access-Control-Allow-Origin: * header to all responses.

Invocation:

python -m http.server --cors

As part of this implementation, add a response_headers argument to SimpleHTTPRequestHandler and HTTPServer, which allows callers to add addition headers to the response. Ideally it would have been possible to just have made a CorsHttpServer class, but a couple of issues made that difficult:

  • The http.server CLI uses more than one HTTP Server class, in order to support TLS/HTTPS. So a single CorsHttpServer child class wouldn't work to support both use cases.
  • Much of the work in specifying HTTP behavior is handled by the various RequestHandler classes. However, the HttpServer classes didn't have an easy way to pass arguments down into the instantiated handlers.

As a result, this PR updates both HTTPServer and SimpleHTTPRequestHandler to accept a response_headers argument, which allows callers to specify an additional set of HTTP headers to pass in the response.

  • HTTPServer now overrides finish_request to pass this new kwarg down to its RequestHandler.
  • SimpleHTTPRequestHandler now accepts a resposnse_headers kwarg, to optionally specify a dictionary of additional headers to send in the response.

Care is taken to not pass the response_headers argument to any instance constructors when not provided, to ensure backwards compatibility. I tried to keep the implementation as short and simple as possible.

With the addition of a response_headers argument, we allow ourselves to have a future possible custom header http argument, such as:

python -m http.server -H 'custom-header: custom-value'

📚 Documentation preview 📚: https://cpython-previews--135057.org.readthedocs.build/

@python-cla-bot
Copy link

python-cla-bot bot commented Jun 3, 2025
edited
Loading

All commit authors signed the Contributor License Agreement.

CLA signed

@bedevere-app
Copy link

bedevere-app bot commented Jun 3, 2025

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

@bedevere-app bedevere-app bot mentioned this pull request Jun 3, 2025
Open
@aisipos
pythongh-135056: Add a --cors CLI argument to http.server
0d02fbe 
Add a --cors command line argument to the stdlib http.server module, which will
add an `Access-Control-Allow-Origin: *` header to all responses. As part of this
implementation, add a `response_headers` argument to SimpleHTTPRequestHandler
and HttpServer, which allows callers to add addition headers to the response.
@aisipos aisipos force-pushed the https-server-cors-issue-135056 branch from 3f11652 to 0d02fbe Compare June 3, 2025 05:24
hugovk
hugovk reviewed Jun 3, 2025
View reviewed changes
Copy link
Member

@hugovk hugovk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(I'd prefer a general headers option, but will comment on the issue or Discourse topic)

Doc/library/http.server.rst Outdated
@@ -374,6 +374,10 @@ instantiation, of which this module provides three different variants:
.. versionchanged:: 3.9
The *directory* parameter accepts a :term:`path-like object`.

.. versionchanged:: 3.15
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
.. versionchanged:: 3.15
.. versionchanged:: next

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 1838da7

Misc/NEWS.d/next/Library/2025-06-02-22-23-38.gh-issue-135056.yz3dSs.rst Outdated
@@ -0,0 +1,2 @@
Add a ``--cors`` cli option to ``python -m http.server``. Contributed by
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Add a ``--cors`` cli option to ``python -m http.server``. Contributed by
Add a ``--cors`` CLI option to :program:`python -m http.server`. Contributed by

Misc/NEWS.d/next/Library/2025-06-02-22-23-38.gh-issue-135056.yz3dSs.rst Outdated
@@ -0,0 +1,2 @@
Add a ``--cors`` cli option to ``python -m http.server``. Contributed by
Anton I. Sipos
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Anton I. Sipos
Anton I. Sipos.

@aisipos
Copy link
Author

aisipos commented Jun 3, 2025

test_wsgiref is failing. I'll look into it.

@aisipos
pythongh-13056: Allow unspecified response_headers in HTTPServer.
a3256fd 
This fixes the breakage to HttpServer as used by wsgiref.
@aisipos
Copy link
Author

aisipos commented Jun 3, 2025

test_wsgiref fixed in a3256fd. This should fix any backwards incompatibility errors erroneously introduced in the first commit.

@donBarbos
Copy link
Contributor

I think it's worth adding to this What's New entry (./Doc/whatsnew/3.15.rst)

@Zheaoli
Copy link
Contributor

Zheaoli commented Jun 6, 2025

For me, I don't think add --cors CLI argument would be a good idea. Base on following reasons:

  1. The CORS policy is a complicated idea. Six response headers are included by the word(If I'm correct). If you set the Access-Control-Allow-Origin, and now the people may need Access-Control-Allow-Methods( Allow for OPTION method). What is the next argument we need to add?
  2. The CLI for http.server is just for a debug target. So we design the CLI as simple as we can. The developer don't need to care about any extra detail when they run just a simple debug server.
  3. if we need CORS policy in the future. I suggest we setup all the header for developer and don't need to add cli for it.

@aisipos aisipos requested a review from hugovk June 6, 2025 23:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hugovk hugovk Awaiting requested review from hugovk

Assignees
No one assigned
Labels
awaiting review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@aisipos @donBarbos @Zheaoli @hugovk