gh-135056: Add a --header CLI argument to http.server

[aisipos]

As proposed in #135056, Add a --cors command line argument to the stdlib http.server module, which will add an Access-Control-Allow-Origin: * header to all responses.

Invocation:

python -m http.server --cors

As part of this implementation, add a response_headers argument to SimpleHTTPRequestHandler and HTTPServer, which allows callers to add addition headers to the response. Ideally it would have been possible to just have made a CorsHttpServer class, but a couple of issues made that difficult:

• The http.server CLI uses more than one HTTP Server class, in order to support TLS/HTTPS. So a single CorsHttpServer child class wouldn't work to support both use cases.
• Much of the work in specifying HTTP behavior is handled by the various RequestHandler classes. However, the HttpServer classes didn't have an easy way to pass arguments down into the instantiated handlers.

As a result, this PR updates both HTTPServer and SimpleHTTPRequestHandler to accept a response_headers argument, which allows callers to specify an additional set of HTTP headers to pass in the response.

• HTTPServer now overrides finish_request to pass this new kwarg down to its RequestHandler.
• SimpleHTTPRequestHandler now accepts a resposnse_headers kwarg, to optionally specify a dictionary of additional headers to send in the response.

Care is taken to not pass the response_headers argument to any instance constructors when not provided, to ensure backwards compatibility. I tried to keep the implementation as short and simple as possible.

With the addition of a response_headers argument, we allow ourselves to have a future possible custom header http argument, such as:

python -m http.server -H 'custom-header: custom-value'

• Issue: Add a --cors command line option to stdlib http.server #135056

---

📚 Documentation preview 📚: https://cpython-previews--135057.org.readthedocs.build/

[python-cla-bot]

All commit authors signed the Contributor License Agreement.

[bedevere-app]

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

[hugovk]

(I'd prefer a general headers option, but will comment on the issue or Discourse topic)

[aisipos]

test_wsgiref is failing. I'll look into it.

[aisipos]

test_wsgiref fixed in a3256fd. This should fix any backwards incompatibility errors erroneously introduced in the first commit.

[donbarbos]

I think it's worth adding to this What's New entry (./Doc/whatsnew/3.15.rst)

[Zheaoli]

For me, I don't think add --cors CLI argument would be a good idea. Base on following reasons:

1. The CORS policy is a complicated idea. Six response headers are included by the word(If I'm correct). If you set the Access-Control-Allow-Origin, and now the people may need Access-Control-Allow-Methods( Allow for OPTION method). What is the next argument we need to add?
2. The CLI for http.server is just for a debug target. So we design the CLI as simple as we can. The developer don't need to care about any extra detail when they run just a simple debug server.
3. if we need CORS policy in the future. I suggest we setup all the header for developer and don't need to add cli for it.

[hugovk]

@Zheaoli Please comment in the discussion thread: https://discuss.python.org/t/any-interest-in-adding-a-cors-option-to-python-m-http-server/92120.

[hugovk]

(I'd prefer a general headers option, but will comment on the issue or Discourse topic)

https://discuss.python.org/t/any-interest-in-adding-a-cors-option-to-python-m-http-server/92120/24

[picnixz]

I'm not very fond of how the HTTP server class is growing more and more with more __init__ parameters, but I don't have a better idea for now. Maybe a generic configuration object but this would be an overkill for this class in particular I think.

[picnixz]

As Hugo said, since we're anyway exposing response-headers, I think we should also expose it from the CLI. It could be useful for users in general (e.g., --add-header NAME VALUE with the -H alias).

[picnixz]

Let's also update What's New/3.15.rst

[aisipos]

I used blurb to make this entry in NEWS.d, not knowing when it's appropriate to edit the main 3.15.rst file. I think once we know if we're doing --cors / --header , or both, I can make the appropriate update to What's New/3.15.rst

[picnixz]

Suggested change

	password=None, alpn_protocols=None, response_headers=None):
	password=None, alpn_protocols=None, **http_server_kwargs):

And pass http_server_kwargs to super()

[picnixz]

Suggested change

	args = (request, client_address, self)
	kwargs = {}
	response_headers = getattr(self, 'response_headers', None)
	if response_headers:
	kwargs['response_headers'] = self.response_headers
	self.RequestHandlerClass(*args, **kwargs)
	kwargs = {}
	if hasattr(self, 'response_headers'):
	kwargs['response_headers'] = self.response_headers
	self.RequestHandlerClass(request, client_address, self, **kwargs)

[aisipos]

@picnixz I made this requested change in 77b5fff. Note though that now HTTPServer will pass response_headers to the RequestHandler class even if response_headers is None or {}. Most RequestHandler implementation constructor implementations don't take this argument, so in order for this to work I added **kwargs as an argument to BaseRequestHandler.__init__. My earlier implementation was trying to prevent this, to keep any changes to only http/server.py and not need to touch anything in socketserver.py. Perhaps the **kwargs addition is ok, or I'm open to other solutions if we can think of better ones.

[picnixz]

Suggested change

	def __init__(self, *args, directory=None, response_headers=None, **kwargs):
	if directory is None:
	directory = os.getcwd()
	self.directory = os.fspath(directory)
	self.response_headers = response_headers or {}
	def __init__(self, *args, directory=None, response_headers=None, **kwargs):
	if directory is None:
	directory = os.getcwd()
	self.directory = os.fspath(directory)
	self.response_headers = response_headers

You're already checking for is not None later

[picnixz]

Suggested change

	tls_cert=None, tls_key=None, tls_password=None, response_headers=None):
	tls_cert=None, tls_key=None, tls_password=None,
	response_headers=None):

Let's group the parameters per purpose

[picnixz]

Suggested change

	handler_args = (request, client_address, self)
	handler_kwargs = dict(directory=args.directory)
	if self.response_headers:
	handler_kwargs['response_headers'] = self.response_headers
	self.RequestHandlerClass(*handler_args, **handler_kwargs)
	self.RequestHandlerClass(request, client_address, self,
	directory=args.directory,
	response_headers=self.response_headers)

[picnixz]

You must also modify create_https_server appropriately

[picnixz]

Suggested change

	server_kwargs = dict(
	response_headers = {'Access-Control-Allow-Origin': '*'}
	)
	server_kwargs = {
	'response_headers': {'Access-Control-Allow-Origin': '*'}
	}

[picnixz]

Suggested change

	def test_cors(self):
	def test_cors(self):

[aisipos]

@picnixz I have made all your suggested changes in 77b5fff . I have also implemented a generic -H or --header cli argument in 5f89c97. Now this PR contains both --cors and --header. I don't know if we want both, there doesn't seem to yet be consensus on what we prefer, although Core devs so far seem to lean on just --header.

[hugovk]

I think we should just have --header, as that unlocks the ability to enable CORS. We can still add --cors later if there's demand and consensus.

[hugovk]

And what are your thoughts on positional args like HTTPie?

https://discuss.python.org/t/any-interest-in-adding-a-cors-option-to-python-m-http-server/92120/24

[vadmium]

Isn’t this redundant with the entry already under the constructor heading?

[aisipos]

Perhaps - it seems the constructor documentation is used to make a brief mention of each argument and when it was added, with more detail being filled in later. My latest commits make several changes requested elsewhere for other reasons, but if the current version is still too redundant in multiple places I can make some more edits.

[picnixz]

I don't think we should add this information. There is no notion of an "instance argument": it should rather be an instance attribute, and this should be documented through a .. attribute::, below .. attribute:: extensions_map

[vadmium]

Why not do this the same way the --directory or --protocol options are implemented? Either way should avoid adding internal parameters to unrelated HTTPServer and BaseRequestHandler classes.

You could build the response_headers dictionary before the DualStackServerMixin class, and then pass it by referencing the outer scope like is already done with args.directory:

Suggested change

	response_headers=self.response_headers)
	response_headers=response_headers)

Or set the response_headers attribute on the SimpleHTTPRequestHandler class rather than in its constructor, like is done for protocol_verison in the test function.

[aisipos]

I followed your advice, see b1026d2. I made response_headers an argument to SimpleHTTPRequestHandler only, and send the argument to it in the DualStackServerMixin class.

[vadmium]

In previous versions, this was not a valid parameter at all.

Suggested change

	The *response_headers* parameter accepts an optional dictionary of
	Added *response_headers*, which accepts an optional dictionary of

Also, did you consider accepting a list or iterable of (name, value) pairs instead, like returned by http.client.HTTPResponse.getheaders? That would be better for sending multiple Set-Cookie fields.

[aisipos]

Ah yes, sending multiple headers of the same name would indeed be necessary. I updated to use an iterable of name value pairs instead in 7a793f2

[vadmium]

Might be worth clarifying how these fields interact with other fields such as Server specified under BaseHTTPRequestHandler.send_response, and Last-Modified under do_GET.

Also clarify which responses the fields are included in, assuming it wasn’t your intention to include them for 404 Not Found, 304 Not Modified, lower-level errors, etc.

[aisipos]

In the latest commits, I've noted that the custom headers are only sent in success cases. What do you mean by interaction though? The custom headers currently get sent after Last-Modified, should I mention the placement of the custom headers and that they appear after Last-Modified?

[vadmium]

Or is moving this to an extended send_response override an option? That way you would include the fields for all responses.

[vadmium]

Clarify as an internal private attribute:

Suggested change

	self.response_headers = response_headers
	self._response_headers = response_headers

Or document SimpleHTTPRequestHandler.response_headers as a public attribute.

[aisipos]

So far I have intended response_headers to be a public attribute. Do you mean add documentation to the docstring of SimpleHTTPRequestHandler or more documentation in Doc/library/http.server.rst?

[vadmium]

This appears to only be testing the undocumented or internal HTTPServer parameter. It would be good to test the new documented SimpleHTTPRequestHandler parameter instead or as well.

[aisipos]

I have removed server_kwargs in the latest updates, and updated the tests. The only external change now is response_headers as an instance arg to SimpleHTTPRequestHandler

[aisipos]

There are some new build breakages, I'll investigate and fix.

[aisipos]

There are some new build breakages, I'll investigate and fix.

Build breaks fixed in ed0b0b3 and 79c577b

[aisipos]

@picnixz I have merged master into the PR and fixed the conflict in the what's new file - would you be able to give this another review?

[hugovk]

Thanks!

@picnixz Any final comments?

[picnixz]

I would like to review it when I am back at home so it will need to wait like 10 days or so!

[aisipos]

@picnixz Thanks for your help in reviewing this PR. It would be nice to get it merged before the 3.15 beta - do you have any further thoughts on this PR?

[hugovk]

@aisipos Just in case @picnixz doesn't have time to re-check, please ping me towards the end of April and we can merge if there's no blocking objections. We can always bugfix during the beta if needed.

[picnixz]

We just need one additional test where you re-specify the Content-Type and Content-Length headers. I wonder whether we should first send the extra headers and only send those two if they are not in the extra headers or just reject those two as being customizable.

Otherwise I think I am ok with this approach. It is generic enough that we do not to worry too much. The question is whether we should consider those extra headers as "safe" or not and whether validation is necessary.

From a release perspective @hugovk : is it ok to remove/drastically redesign a feature introduced in alpha if it was not that ready?

[picnixz]

Suggested change

	* Added a ``-H`` or ``--header`` flag to the :program:`python -m http.server`
	* Added the ``-H/--header`` option to the :program:`python -m http.server`

[picnixz]

Suggested change

	"""Send the headers stored in self.extra_response_headers"""
	"""Send the headers stored in self.extra_response_headers."""

[hugovk]

From a release perspective @hugovk : is it ok to remove/drastically redesign a feature introduced in alpha if it was not that ready?

Things can be reverted right through to end of RC (see the incremental GC in 3.13 for an extreme case).

As we get closer to final release, each stage is intended to increase the stability, so I'd say no to drastic redesigns, and other changes should balance the risk/benefit and not introduce new features.

[picnixz]

So apart from:

• Tests when we redefine headers.
• Decide what to do with redefinitions.
• Decide what to do with validation (cc @sethmlarson)

I am ok with this PR. I would say that extra headers should be by-passed and should not be checked against existing ones (possibly sending twice the Content-Type header) unless the RFC forbids sending headers twice (in which case we need to use user-defined ones).

For validation, I would suggest we do nothing and add a security warning. Since http.server is not meant to be used in production it should be fine to have untrusted headers here.

[sethmlarson]

We can validate for CR/LF since those aren't allowed in HTTP headers, beyond that I think if it's set then it's okay to send values that are supplied to users. I'm concerned about being able to set duplicate headers for Content-Type, maybe we should disallow this at the CLI level or accept the user-supplied value?

[picnixz]

I'm concerned about being able to set duplicate headers for Content-Type, maybe we should disallow this at the CLI level or accept the user-supplied value?

As http.server is really not meant for production, I really don't want to provide the same level of security guarantees as http.client. Using the user-defined headers for the headers we supply is fine but it's a bit weird because those headers will be always be sent back whatever the response is. So ignoring them is also fine.

How about rejecting the headers that we internally supply for now and maybe extend the functionality if needs arise?

[sethmlarson]

@picnixz That would work for me! :)

[picnixz]

Ok, so to summarize @aisipos:

• Please make it so that we explicitly reject the headers that we already supply.
• Update the documentation about those headers.
• Add tests.

[aisipos]

@picnixz OK, thanks for your help. In the latest 2 commits I updated the code to not overwrite headers that the server has already sent (including a new test for this), and updated the documentation to describe this. It's ready for another re-review.

[picnixz]

Please fix the tests first.

[aisipos]

@picnixz OK sorry, I made the new attribute access I added more resilient to mocking in tests. There are still a couple of test runs failing on windows profiling, but they seem unrelated?

[hugovk]

I restarted Windows and it passed ✅