gh-135056: Add a --cors CLI argument to http.server

[aisipos]

As proposed in #135056, Add a --cors command line argument to the stdlib http.server module, which will add an Access-Control-Allow-Origin: * header to all responses.

Invocation:

python -m http.server --cors

As part of this implementation, add a response_headers argument to SimpleHTTPRequestHandler and HTTPServer, which allows callers to add addition headers to the response. Ideally it would have been possible to just have made a CorsHttpServer class, but a couple of issues made that difficult:

• The http.server CLI uses more than one HTTP Server class, in order to support TLS/HTTPS. So a single CorsHttpServer child class wouldn't work to support both use cases.
• Much of the work in specifying HTTP behavior is handled by the various RequestHandler classes. However, the HttpServer classes didn't have an easy way to pass arguments down into the instantiated handlers.

As a result, this PR updates both HTTPServer and SimpleHTTPRequestHandler to accept a response_headers argument, which allows callers to specify an additional set of HTTP headers to pass in the response.

• HTTPServer now overrides finish_request to pass this new kwarg down to its RequestHandler.
• SimpleHTTPRequestHandler now accepts a resposnse_headers kwarg, to optionally specify a dictionary of additional headers to send in the response.

Care is taken to not pass the response_headers argument to any instance constructors when not provided, to ensure backwards compatibility. I tried to keep the implementation as short and simple as possible.

With the addition of a response_headers argument, we allow ourselves to have a future possible custom header http argument, such as:

python -m http.server -H 'custom-header: custom-value'

• Issue: Add a --cors command line option to stdlib http.server #135056

---

📚 Documentation preview 📚: https://cpython-previews--135057.org.readthedocs.build/

[python-cla-bot]

All commit authors signed the Contributor License Agreement.

[bedevere-app]

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

[hugovk]

(I'd prefer a general headers option, but will comment on the issue or Discourse topic)

[aisipos]

test_wsgiref is failing. I'll look into it.

[aisipos]

test_wsgiref fixed in a3256fd. This should fix any backwards incompatibility errors erroneously introduced in the first commit.

[donBarbos]

I think it's worth adding to this What's New entry (./Doc/whatsnew/3.15.rst)

[Zheaoli]

For me, I don't think add --cors CLI argument would be a good idea. Base on following reasons:

1. The CORS policy is a complicated idea. Six response headers are included by the word(If I'm correct). If you set the Access-Control-Allow-Origin, and now the people may need Access-Control-Allow-Methods( Allow for OPTION method). What is the next argument we need to add?
2. The CLI for http.server is just for a debug target. So we design the CLI as simple as we can. The developer don't need to care about any extra detail when they run just a simple debug server.
3. if we need CORS policy in the future. I suggest we setup all the header for developer and don't need to add cli for it.

[hugovk]

@Zheaoli Please comment in the discussion thread: https://discuss.python.org/t/any-interest-in-adding-a-cors-option-to-python-m-http-server/92120.

[hugovk]

(I'd prefer a general headers option, but will comment on the issue or Discourse topic)

https://discuss.python.org/t/any-interest-in-adding-a-cors-option-to-python-m-http-server/92120/24

[picnixz]

I'm not very fond of how the HTTP server class is growing more and more with more __init__ parameters, but I don't have a better idea for now. Maybe a generic configuration object but this would be an overkill for this class in particular I think.

[picnixz]

As Hugo said, since we're anyway exposing response-headers, I think we should also expose it from the CLI. It could be useful for users in general (e.g., --add-header NAME VALUE with the -H alias).

[picnixz]

Let's also update What's New/3.15.rst

[aisipos]

I used blurb to make this entry in NEWS.d, not knowing when it's appropriate to edit the main 3.15.rst file. I think once we know if we're doing --cors / --header , or both, I can make the appropriate update to What's New/3.15.rst

[picnixz]

Suggested change

	password=None, alpn_protocols=None, response_headers=None):
	password=None, alpn_protocols=None, **http_server_kwargs):

And pass http_server_kwargs to super()

[picnixz]

Suggested change

	args = (request, client_address, self)
	kwargs = {}
	response_headers = getattr(self, 'response_headers', None)
	if response_headers:
	kwargs['response_headers'] = self.response_headers
	self.RequestHandlerClass(*args, **kwargs)
	kwargs = {}
	if hasattr(self, 'response_headers'):
	kwargs['response_headers'] = self.response_headers
	self.RequestHandlerClass(request, client_address, self, **kwargs)

[aisipos]

@picnixz I made this requested change in 77b5fff. Note though that now HTTPServer will pass response_headers to the RequestHandler class even if response_headers is None or {}. Most RequestHandler implementation constructor implementations don't take this argument, so in order for this to work I added **kwargs as an argument to BaseRequestHandler.__init__. My earlier implementation was trying to prevent this, to keep any changes to only http/server.py and not need to touch anything in socketserver.py. Perhaps the **kwargs addition is ok, or I'm open to other solutions if we can think of better ones.

[picnixz]

Suggested change

	def __init__(self, *args, directory=None, response_headers=None, **kwargs):
	if directory is None:
	directory = os.getcwd()
	self.directory = os.fspath(directory)
	self.response_headers = response_headers or {}
	def __init__(self, *args, directory=None, response_headers=None, **kwargs):
	if directory is None:
	directory = os.getcwd()
	self.directory = os.fspath(directory)
	self.response_headers = response_headers

You're already checking for is not None later

[picnixz]

Suggested change

	tls_cert=None, tls_key=None, tls_password=None, response_headers=None):
	tls_cert=None, tls_key=None, tls_password=None,
	response_headers=None):

Let's group the parameters per purpose

[picnixz]

Suggested change

	handler_args = (request, client_address, self)
	handler_kwargs = dict(directory=args.directory)
	if self.response_headers:
	handler_kwargs['response_headers'] = self.response_headers
	self.RequestHandlerClass(*handler_args, **handler_kwargs)
	self.RequestHandlerClass(request, client_address, self,
	directory=args.directory,
	response_headers=self.response_headers)

[picnixz]

You must also modify create_https_server appropriately

[picnixz]

Suggested change

	server_kwargs = dict(
	response_headers = {'Access-Control-Allow-Origin': '*'}
	)
	server_kwargs = {
	'response_headers': {'Access-Control-Allow-Origin': '*'}
	}

[picnixz]

Suggested change

	def test_cors(self):
	def test_cors(self):

[aisipos]

@picnixz I have made all your suggested changes in 77b5fff . I have also implemented a generic -H or --header cli argument in 5f89c97. Now this PR contains both --cors and --header. I don't know if we want both, there doesn't seem to yet be consensus on what we prefer, although Core devs so far seem to lean on just --header .

[hugovk]

I think we should just have --header, as that unlocks the ability to enable CORS. We can still add --cors later if there's demand and consensus.

[hugovk]

And what are your thoughts on positional args like HTTPie?

https://discuss.python.org/t/any-interest-in-adding-a-cors-option-to-python-m-http-server/92120/24