gh-135056: Add a --header CLI argument to http.server

[aisipos]

As proposed in #135056, Add a --cors command line argument to the stdlib http.server module, which will add an Access-Control-Allow-Origin: * header to all responses.

Invocation:

python -m http.server --cors

As part of this implementation, add a response_headers argument to SimpleHTTPRequestHandler and HTTPServer, which allows callers to add addition headers to the response. Ideally it would have been possible to just have made a CorsHttpServer class, but a couple of issues made that difficult:

• The http.server CLI uses more than one HTTP Server class, in order to support TLS/HTTPS. So a single CorsHttpServer child class wouldn't work to support both use cases.
• Much of the work in specifying HTTP behavior is handled by the various RequestHandler classes. However, the HttpServer classes didn't have an easy way to pass arguments down into the instantiated handlers.

As a result, this PR updates both HTTPServer and SimpleHTTPRequestHandler to accept a response_headers argument, which allows callers to specify an additional set of HTTP headers to pass in the response.

• HTTPServer now overrides finish_request to pass this new kwarg down to its RequestHandler.
• SimpleHTTPRequestHandler now accepts a resposnse_headers kwarg, to optionally specify a dictionary of additional headers to send in the response.

Care is taken to not pass the response_headers argument to any instance constructors when not provided, to ensure backwards compatibility. I tried to keep the implementation as short and simple as possible.

With the addition of a response_headers argument, we allow ourselves to have a future possible custom header http argument, such as:

python -m http.server -H 'custom-header: custom-value'

• Issue: Add a --cors command line option to stdlib http.server #135056

---

📚 Documentation preview 📚: https://cpython-previews--135057.org.readthedocs.build/

[python-cla-bot]

All commit authors signed the Contributor License Agreement.

[bedevere-app]

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

[hugovk]

(I'd prefer a general headers option, but will comment on the issue or Discourse topic)

[aisipos]

test_wsgiref is failing. I'll look into it.

[aisipos]

test_wsgiref fixed in a3256fd. This should fix any backwards incompatibility errors erroneously introduced in the first commit.

[donBarbos]

I think it's worth adding to this What's New entry (./Doc/whatsnew/3.15.rst)

[Zheaoli]

For me, I don't think add --cors CLI argument would be a good idea. Base on following reasons:

1. The CORS policy is a complicated idea. Six response headers are included by the word(If I'm correct). If you set the Access-Control-Allow-Origin, and now the people may need Access-Control-Allow-Methods( Allow for OPTION method). What is the next argument we need to add?
2. The CLI for http.server is just for a debug target. So we design the CLI as simple as we can. The developer don't need to care about any extra detail when they run just a simple debug server.
3. if we need CORS policy in the future. I suggest we setup all the header for developer and don't need to add cli for it.

[hugovk]

@Zheaoli Please comment in the discussion thread: https://discuss.python.org/t/any-interest-in-adding-a-cors-option-to-python-m-http-server/92120.

[hugovk]

(I'd prefer a general headers option, but will comment on the issue or Discourse topic)

https://discuss.python.org/t/any-interest-in-adding-a-cors-option-to-python-m-http-server/92120/24

[picnixz]

I'm not very fond of how the HTTP server class is growing more and more with more __init__ parameters, but I don't have a better idea for now. Maybe a generic configuration object but this would be an overkill for this class in particular I think.

[picnixz]

As Hugo said, since we're anyway exposing response-headers, I think we should also expose it from the CLI. It could be useful for users in general (e.g., --add-header NAME VALUE with the -H alias).

[picnixz]

Let's also update What's New/3.15.rst

[aisipos]

I used blurb to make this entry in NEWS.d, not knowing when it's appropriate to edit the main 3.15.rst file. I think once we know if we're doing --cors / --header , or both, I can make the appropriate update to What's New/3.15.rst

[picnixz]

Suggested change

	password=None, alpn_protocols=None, response_headers=None):
	password=None, alpn_protocols=None, **http_server_kwargs):

And pass http_server_kwargs to super()

[picnixz]

Suggested change

	args = (request, client_address, self)
	kwargs = {}
	response_headers = getattr(self, 'response_headers', None)
	if response_headers:
	kwargs['response_headers'] = self.response_headers
	self.RequestHandlerClass(*args, **kwargs)
	kwargs = {}
	if hasattr(self, 'response_headers'):
	kwargs['response_headers'] = self.response_headers
	self.RequestHandlerClass(request, client_address, self, **kwargs)

[aisipos]

@picnixz I made this requested change in 77b5fff. Note though that now HTTPServer will pass response_headers to the RequestHandler class even if response_headers is None or {}. Most RequestHandler implementation constructor implementations don't take this argument, so in order for this to work I added **kwargs as an argument to BaseRequestHandler.__init__. My earlier implementation was trying to prevent this, to keep any changes to only http/server.py and not need to touch anything in socketserver.py. Perhaps the **kwargs addition is ok, or I'm open to other solutions if we can think of better ones.

[picnixz]

Suggested change

	def __init__(self, *args, directory=None, response_headers=None, **kwargs):
	if directory is None:
	directory = os.getcwd()
	self.directory = os.fspath(directory)
	self.response_headers = response_headers or {}
	def __init__(self, *args, directory=None, response_headers=None, **kwargs):
	if directory is None:
	directory = os.getcwd()
	self.directory = os.fspath(directory)
	self.response_headers = response_headers

You're already checking for is not None later

[picnixz]

Suggested change

	tls_cert=None, tls_key=None, tls_password=None, response_headers=None):
	tls_cert=None, tls_key=None, tls_password=None,
	response_headers=None):

Let's group the parameters per purpose

[picnixz]

Suggested change

	handler_args = (request, client_address, self)
	handler_kwargs = dict(directory=args.directory)
	if self.response_headers:
	handler_kwargs['response_headers'] = self.response_headers
	self.RequestHandlerClass(*handler_args, **handler_kwargs)
	self.RequestHandlerClass(request, client_address, self,
	directory=args.directory,
	response_headers=self.response_headers)

[picnixz]

You must also modify create_https_server appropriately

[picnixz]

Suggested change

	server_kwargs = dict(
	response_headers = {'Access-Control-Allow-Origin': '*'}
	)
	server_kwargs = {
	'response_headers': {'Access-Control-Allow-Origin': '*'}
	}

[picnixz]

Suggested change

	def test_cors(self):
	def test_cors(self):

[aisipos]

@picnixz I have made all your suggested changes in 77b5fff . I have also implemented a generic -H or --header cli argument in 5f89c97. Now this PR contains both --cors and --header. I don't know if we want both, there doesn't seem to yet be consensus on what we prefer, although Core devs so far seem to lean on just --header.

[hugovk]

I think we should just have --header, as that unlocks the ability to enable CORS. We can still add --cors later if there's demand and consensus.

[hugovk]

And what are your thoughts on positional args like HTTPie?

https://discuss.python.org/t/any-interest-in-adding-a-cors-option-to-python-m-http-server/92120/24

[vadmium]

Isn’t this redundant with the entry already under the constructor heading?

[aisipos]

Perhaps - it seems the constructor documentation is used to make a brief mention of each argument and when it was added, with more detail being filled in later. My latest commits make several changes requested elsewhere for other reasons, but if the current version is still too redundant in multiple places I can make some more edits.

[picnixz]

I don't think we should add this information. There is no notion of an "instance argument": it should rather be an instance attribute, and this should be documented through a .. attribute::, below .. attribute:: extensions_map

[vadmium]

Why not do this the same way the --directory or --protocol options are implemented? Either way should avoid adding internal parameters to unrelated HTTPServer and BaseRequestHandler classes.

You could build the response_headers dictionary before the DualStackServerMixin class, and then pass it by referencing the outer scope like is already done with args.directory:

Suggested change

	response_headers=self.response_headers)
	response_headers=response_headers)

Or set the response_headers attribute on the SimpleHTTPRequestHandler class rather than in its constructor, like is done for protocol_verison in the test function.

[aisipos]

I followed your advice, see b1026d2. I made response_headers an argument to SimpleHTTPRequestHandler only, and send the argument to it in the DualStackServerMixin class.

[vadmium]

In previous versions, this was not a valid parameter at all.

Suggested change

	The *response_headers* parameter accepts an optional dictionary of
	Added *response_headers*, which accepts an optional dictionary of

Also, did you consider accepting a list or iterable of (name, value) pairs instead, like returned by http.client.HTTPResponse.getheaders? That would be better for sending multiple Set-Cookie fields.

[aisipos]

Ah yes, sending multiple headers of the same name would indeed be necessary. I updated to use an iterable of name value pairs instead in 7a793f2

[vadmium]

Might be worth clarifying how these fields interact with other fields such as Server specified under BaseHTTPRequestHandler.send_response, and Last-Modified under do_GET.

Also clarify which responses the fields are included in, assuming it wasn’t your intention to include them for 404 Not Found, 304 Not Modified, lower-level errors, etc.

[aisipos]

In the latest commits, I've noted that the custom headers are only sent in success cases. What do you mean by interaction though? The custom headers currently get sent after Last-Modified, should I mention the placement of the custom headers and that they appear after Last-Modified?

[vadmium]

Or is moving this to an extended send_response override an option? That way you would include the fields for all responses.

[vadmium]

Clarify as an internal private attribute:

Suggested change

	self.response_headers = response_headers
	self._response_headers = response_headers

Or document SimpleHTTPRequestHandler.response_headers as a public attribute.

[aisipos]

So far I have intended response_headers to be a public attribute. Do you mean add documentation to the docstring of SimpleHTTPRequestHandler or more documentation in Doc/library/http.server.rst?

[vadmium]

This appears to only be testing the undocumented or internal HTTPServer parameter. It would be good to test the new documented SimpleHTTPRequestHandler parameter instead or as well.

[aisipos]

I have removed server_kwargs in the latest updates, and updated the tests. The only external change now is response_headers as an instance arg to SimpleHTTPRequestHandler

[aisipos]

@picnixz Thanks for the review, I made all the updates you suggested. I also took your advice and renamed the new SimpleHTTPRequestHandler instance attribute to extra_response_headers, and renamed the method to send them to _send_extra_response_headers, making it private.

Regarding the open decision to make extra_response_headers part of the public interface as opposed to an implementation detail of the --header cli arg, I'll say that I have a slight preference to keeping it part of the public interface, since it may be useful to use programmatically in addition to the cli, but I'm not opposed to making it private if that's what we prefer.

[picnixz]

Suggested change

	Added *response_headers*.
	Added the *extra_response_headers* parameter.

[aisipos]

Fixed in 06a9977 and be78515

[picnixz]

Suggested change

	A sequence of ``(name, value)`` pairs containing user specified extra
	HTTP response headers to add to each successful HTTP status 200 response.
	A sequence of ``(name, value)`` pairs containing user-defined extra
	HTTP response headers to add to each successful HTTP status 200 response.

[aisipos]

Fixed in 53965ff

[picnixz]

Suggested change

	All other status code responses will not include these headers.
	These headers are not included in other status code responses.

[aisipos]

Fixed in c280ed8

[picnixz]

Suggested change

	``(name, value)`` pairs containing user specified extra response headers.
	``(name, value)`` pairs containing user-defined extra response headers
	sent for a HTTP 200 response.

[aisipos]

Fixed in 53965ff

[picnixz]

This is me being nitpicky but would it be preferrable to parse header=value or header value separate by a space? what about cURL/wget and other CLIs? (I think it's easier not to expect = as you did here because we could always say that -H something means -H something 1)

[aisipos]

I had a short discussion in the thread on python-ideas with @hugovk about this, see here

In short, cURL and wget do specify headers on their CLI as --header "name: value". In the python-ideas thread I had opposed using a name:value syntax as a positional cli parameter, since it could possibly clash with a port syntax like 127.0.0.1:8000. However if we require an explicit --header or -H before each "name: value", I'm not opposed to the idea.

I think the argument in favor of the PR as it is with -H <name> <value> is simplicity of implementation - it fits right in with argparse and nargs=2. However, if similarity with cURL / wget is desired it isn't much effort to implement a "name: value" format. I have a draft implementation in a separate branch: see aisipos@d878bf6

I'll admit to a slight leaning towards changing to the name: value format, given the principle of least surprise and the popularity of cURL and wget. Thoughts?

[picnixz]

Let's keep the simple space-separated stuff. It will also ease terminal shortcuts where you only delete the previous word (ctrl+w) to change for instance the value of a header. It also simplifies maintenance.

[aisipos]

@picnixz OK, I'm fine with keeping the space separated / nargs implementation as is in this PR. I think I've made all the other changes you requested. What else remains to do for this PR?

[picnixz]

Suggested change

	HandlerClass=HandlerClass, ServerClass=ServerClass,
	protocol=protocol, port=port, bind=bind, tls_cert=tls_cert,
	tls_key=tls_key, tls_password=tls_password
	HandlerClass=HandlerClass, ServerClass=ServerClass,
	protocol=protocol, port=port, bind=bind,
	tls_cert=tls_cert, tls_key=tls_key, tls_password=tls_password,

I would prefer this split just to group the tls_* arguments together. I think it fits on 80 chars.

[aisipos]

Fixed in 64122df. It ends up being only 68 chars so it fits easily under 80. I didn't leave in a trailing comma, if that matters I can add it in.

[picnixz]

Suggested change

	'(can be used multiple times)')
	'(can be specified multiple times)')

The trace.py argparse uses "specified"

[aisipos]

Fixed in f0d1bac

[picnixz]

ensure 2 blank lines around classes (there is one blank line missing after this)

[aisipos]

Fixed in 2e829bb

[picnixz]

Suggested change

	with mock.patch.object(self.request_handler, 'extra_response_headers', new=[
	with mock.patch.object(self.request_handler, 'extra_response_headers', [

no need for using the 'new' keyword (same for the previous test)

[aisipos]

Fixed in e99780e

[picnixz]

Check that the extra headers are only sent for HTTP 200 responses and always check the response code in the tests.

[aisipos]

See updates to the tests in 8baa875, 7856d27, and 303ab5b

[aisipos]

There are some new build breakages, I'll investigate and fix.

[aisipos]

There are some new build breakages, I'll investigate and fix.

Build breaks fixed in ed0b0b3 and 79c577b