Clear fewer headers on 1xx/204/304 responses

This function is called on more than just 304 responses; it’s important to permit the Allow header on 204 responses. Also, the relevant RFCs have changed significantly. Fixes #2726. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
tornadoweb · Sep 2, 2019 · 4e7c7b6 · 4e7c7b6
1 parent ff985fe
commit 4e7c7b6
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 11 deletions.
diff --git a/tornado/test/httpclient_test.py b/tornado/test/httpclient_test.py
@@ -109,7 +109,7 @@ def get(self):
         self.set_status(304)
         self.set_header("Content-Length", 42)
 
-    def _clear_headers_for_304(self):
+    def _clear_representation_headers(self):
         # Tornado strips content-length from 304 responses, but here we
         # want to simulate servers that include the headers anyway.
         pass

diff --git a/tornado/web.py b/tornado/web.py
@@ -1138,7 +1138,7 @@ def finish(self, chunk: Optional[Union[str, bytes, dict]] = None) -> "Future[Non
                 assert not self._write_buffer, (
                     "Cannot send body with %s" % self._status_code
                 )
-                self._clear_headers_for_304()
+                self._clear_representation_headers()
             elif "Content-Length" not in self._headers:
                 content_length = sum(len(part) for part in self._write_buffer)
                 self.set_header("Content-Length", content_length)
@@ -1803,20 +1803,15 @@ def render(*args, **kwargs) -> str:  # type: ignore
     def _ui_method(self, method: Callable[..., str]) -> Callable[..., str]:
         return lambda *args, **kwargs: method(self, *args, **kwargs)
 
-    def _clear_headers_for_304(self) -> None:
-        # 304 responses should not contain entity headers (defined in
-        # http://www.w3.org/Protocols/rfc2616/rfc2616-sec7.html#sec7.1)
+    def _clear_representation_headers(self) -> None:
+        # 304 responses should not representation metadata headers (defined in
+        # https://tools.ietf.org/html/rfc7231#section-3.1)
         # not explicitly allowed by
-        # http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.5
+        # https://tools.ietf.org/html/rfc7232#section-4.1
         headers = [
-            "Allow",
             "Content-Encoding",
             "Content-Language",
-            "Content-Length",
-            "Content-MD5",
-            "Content-Range",
             "Content-Type",
-            "Last-Modified",
         ]
         for h in headers:
             self.clear_header(h)