gh-135056: Remove --cors opt from http.server in favor of --header

Author: aisipos

Doc/library/http.server.rst

@@ -553,15 +553,6 @@ The following options are accepted:
 
    .. versionadded:: 3.14
 
-.. option:: --cors
-
-   Adds an additional CORS (Cross-Origin Resource sharing) header to each response::
-
-     Access-Control-Allow-Origin: *
-
-   .. versionadded:: next
-
-
 .. _http.server-security:
 
 Security considerations

Lib/http/server.py

@@ -1046,8 +1046,6 @@ def _main(args=None):
     parser.add_argument('port', default=8000, type=int, nargs='?',
                         help='bind to this port '
                              '(default: %(default)s)')
-    parser.add_argument('--cors', action='store_true',
-                        help='Enable Access-Control-Allow-Origin: * header')
     parser.add_argument('-H', '--header', nargs=2, action='append',
                         # metavar='HEADER VALUE',
                         metavar=('HEADER', 'VALUE'),
@@ -1091,8 +1089,6 @@ class HTTPSDualStackServer(DualStackServerMixin, ThreadingHTTPSServer):
 
     ServerClass = HTTPSDualStackServer if args.tls_cert else HTTPDualStackServer
     response_headers = {}
-    if args.cors:
-        response_headers['Access-Control-Allow-Origin'] = '*'
     for header, value in args.header or []:
         response_headers[header] = value
 

Lib/test/test_httpservers.py

@@ -829,17 +829,6 @@ def test_path_without_leading_slash(self):
                          self.tempdir_name + "/?hi=1")
 
 
-class CorsHTTPServerTestCase(SimpleHTTPServerTestCase):
-    server_kwargs = {
-        'response_headers': {'Access-Control-Allow-Origin': '*'}
-    }
-
-    def test_cors(self):
-        response = self.request(self.base_url + '/test')
-        self.check_status_and_reason(response, HTTPStatus.OK)
-        self.assertEqual(response.getheader('Access-Control-Allow-Origin'), '*')
-
-
 class SocketlessRequestHandler(SimpleHTTPRequestHandler):
     def __init__(self, directory=None):
         request = mock.Mock()
@@ -1388,17 +1377,6 @@ def test_protocol_flag(self, mock_func):
                     mock_func.assert_called_once_with(**call_args)
                     mock_func.reset_mock()
 
-    @mock.patch('http.server.test')
-    def test_cors_flag(self, mock_func):
-        self.invoke_httpd('--cors')
-        call_args = self.args | dict(
-            response_headers={
-                'Access-Control-Allow-Origin': '*'
-            }
-        )
-        mock_func.assert_called_once_with(**call_args)
-        mock_func.reset_mock()
-
     @mock.patch('http.server.test')
     def test_header_flag(self, mock_func):
         self.invoke_httpd('--header', 'h1', 'v1', '-H', 'h2', 'v2')

Misc/NEWS.d/next/Library/2025-06-02-22-23-38.gh-issue-135056.yz3dSs.rst

@@ -1,2 +1,2 @@
-Add a ``--cors`` cli option to :program:`python -m http.server`. Contributed by
+Add a ``--header`` cli option to :program:`python -m http.server`. Contributed by
 Anton I. Sipos.