Allow None header values to opt out of default response headers

ResponseHeaders now accepts None values, enabling views to opt out of
default headers (like X-Frame-Options for iframe embedding). None values
are filtered out at serialization boundaries (WSGI handler) rather than
being deleted by middleware.

Also removes unused Response methods: serialize_headers, serialize,
file-like interface stubs (write, flush, tell, readable, seekable,
writable, writelines), text property, pickling support, and getvalue.

Author: davegaeddert

plain-support/plain/support/views.py

@@ -54,7 +54,7 @@ def get_response(self) -> ResponseBase:
         # X-Frame-Options are typically in DEFAULT_RESPONSE_HEADERS.
         # Set to None to signal the middleware to skip applying this default header.
         # We can't del/pop it because middleware runs after and would add it back.
-        response.headers["X-Frame-Options"] = None  # type: ignore[assignment]
+        response.headers["X-Frame-Options"] = None
 
         return response
 

plain/plain/http/response.py

@@ -10,7 +10,6 @@
 import time
 from collections.abc import Iterator
 from email.header import Header
-from functools import cached_property
 from http.client import responses
 from http.cookies import SimpleCookie
 from typing import IO, Any
@@ -86,10 +85,13 @@ def _convert_to_charset(
     def __delitem__(self, key: str) -> None:
         self.pop(key)
 
-    def __setitem__(self, key: str, value: str | bytes) -> None:
+    def __setitem__(self, key: str, value: str | bytes | None) -> None:
         key = self._convert_to_charset(key, "ascii")
-        value = self._convert_to_charset(value, "latin-1", mime_encode=True)
-        self._store[key.lower()] = (key, value)
+        if value is None:
+            self._store[key.lower()] = (key, None)
+        else:
+            value = self._convert_to_charset(value, "latin-1", mime_encode=True)
+            self._store[key.lower()] = (key, value)
 
     def pop(self, key: str, default: Any = None) -> Any:
         return self._store.pop(key.lower(), default)
@@ -182,17 +184,6 @@ def charset(self) -> str:
     def charset(self, value: str) -> None:
         self._charset = value
 
-    def serialize_headers(self) -> bytes:
-        """HTTP headers as a bytestring."""
-        return b"\r\n".join(
-            [
-                key.encode("ascii") + b": " + value.encode("latin-1")
-                for key, value in self.headers.items()
-            ]
-        )
-
-    __bytes__ = serialize_headers
-
     @property
     def _content_type_for_repr(self) -> str:
         return (
@@ -315,9 +306,6 @@ def make_bytes(self, value: str | bytes) -> bytes:
         # Handle non-string types.
         return str(value).encode(self.charset)
 
-    # These methods partially implement the file-like object interface.
-    # See https://docs.python.org/library/io.html#io.IOBase
-
     # The WSGI server must call this method upon completion of the request.
     # See http://blog.dscpl.com.au/2012/10/obligations-for-calling-close-on.html
     def close(self) -> None:
@@ -331,32 +319,6 @@ def close(self) -> None:
         self.closed = True
         signals.request_finished.send(sender=self._handler_class)
 
-    def write(self, content: bytes) -> None:
-        raise OSError(f"This {self.__class__.__name__} instance is not writable")
-
-    def flush(self) -> None:
-        pass
-
-    def tell(self) -> int:
-        raise OSError(
-            f"This {self.__class__.__name__} instance cannot tell its position"
-        )
-
-    # These methods partially implement a stream-like object interface.
-    # See https://docs.python.org/library/io.html#io.IOBase
-
-    def readable(self) -> bool:
-        return False
-
-    def seekable(self) -> bool:
-        return False
-
-    def writable(self) -> bool:
-        return False
-
-    def writelines(self, lines: list[bytes | str]) -> None:
-        raise OSError(f"This {self.__class__.__name__} instance is not writable")
-
 
 class Response(ResponseBase):
     """
@@ -366,42 +328,19 @@ class Response(ResponseBase):
     """
 
     streaming = False
-    non_picklable_attrs = frozenset(
-        [
-            "resolver_match",
-            # Non-picklable attributes added by test clients.
-            "client",
-            "context",
-            "json",
-            "templates",
-        ]
-    )
 
     def __init__(self, content: bytes | str | Iterator[bytes] = b"", **kwargs: Any):
         super().__init__(**kwargs)
         # Content is a bytestring. See the `content` property methods.
         self.content = content
 
-    def __getstate__(self) -> dict[str, Any]:
-        obj_dict = self.__dict__.copy()
-        for attr in self.non_picklable_attrs:
-            if attr in obj_dict:
-                del obj_dict[attr]
-        return obj_dict
-
     def __repr__(self) -> str:
         return "<%(cls)s status_code=%(status_code)d%(content_type)s>" % {  # noqa: UP031
             "cls": self.__class__.__name__,
             "status_code": self.status_code,
             "content_type": self._content_type_for_repr,
         }
 
-    def serialize(self) -> bytes:
-        """Full HTTP message, including headers, as a bytestring."""
-        return self.serialize_headers() + b"\r\n\r\n" + self.content
-
-    __bytes__ = serialize
-
     @property
     def content(self) -> bytes:
         return b"".join(self._container)
@@ -420,32 +359,11 @@ def content(self, value: bytes | str | Iterator[bytes]) -> None:
                     pass
         else:
             content = self.make_bytes(value)
-        # Create a list of properly encoded bytestrings to support write().
         self._container = [content]
 
-    @cached_property
-    def text(self) -> str:
-        return self.content.decode(self.charset or "utf-8")
-
     def __iter__(self) -> Iterator[bytes]:
         return iter(self._container)
 
-    def write(self, content: bytes | str) -> None:
-        self._container.append(self.make_bytes(content))
-
-    def tell(self) -> int:
-        return len(self.content)
-
-    def getvalue(self) -> bytes:
-        return self.content
-
-    def writable(self) -> bool:
-        return True
-
-    def writelines(self, lines: list[bytes | str]) -> None:
-        for line in lines:
-            self.write(line)
-
 
 class StreamingResponse(ResponseBase):
     """
@@ -495,9 +413,6 @@ def _set_streaming_content(self, value: Iterator[bytes | str]) -> None:
     def __iter__(self) -> Iterator[bytes]:
         return iter(self.streaming_content)
 
-    def getvalue(self) -> bytes:
-        return b"".join(self.streaming_content)
-
 
 class FileResponse(StreamingResponse):
     """

plain/plain/internal/handlers/wsgi.py

@@ -146,7 +146,8 @@ def __call__(
 
         status = "%d %s" % (response.status_code, response.reason_phrase)  # noqa: UP031
         response_headers = [
-            *response.headers.items(),
+            # Filter out None values (used to opt-out of default headers)
+            *((k, v) for k, v in response.headers.items() if v is not None),
             *(("Set-Cookie", c.output(header="")) for c in response.cookies.values()),
         ]
         start_response(status, response_headers)

plain/plain/internal/middleware/headers.py

@@ -21,18 +21,13 @@ class DefaultHeadersMiddleware(HttpMiddleware):
     View Customization Patterns:
     - Use default: Don't set the header (middleware applies it)
     - Override: Set the header to a different value
-    - Remove: Set the header to None (middleware will delete it)
+    - Remove: Set the header to None (not serialized in the response)
     - Extend: Read from settings.DEFAULT_RESPONSE_HEADERS, modify, then set
 
     Format Strings:
     Header values can include {request.attribute} placeholders for dynamic
     content. Example: 'nonce-{request.csp_nonce}' will be formatted with
     the request's csp_nonce value. Headers without placeholders are used as-is.
-
-    None Removal:
-    Views can set a header to None to opt-out of that default header entirely.
-    The middleware will delete any header set to None, preventing the default
-    from being applied.
     """
 
     def process_request(self, request: Request) -> Response:
@@ -47,9 +42,6 @@ def process_request(self, request: Request) -> Response:
                     response.headers[header] = value.format(request=request)
                 else:
                     response.headers[header] = value
-            elif response.headers[header] is None:
-                # Header explicitly set to None by view - remove it
-                del response.headers[header]
 
         # Add the Content-Length header to non-streaming responses if not
         # already set.