Skip to content


What's new in Tornado 4.1

Feb 7, 2015


* If a `.Future` contains an exception but that exception is never
  examined or re-raised (e.g. by yielding the `.Future`), a stack
  trace will be logged when the `.Future` is garbage-collected.
* New class `tornado.gen.WaitIterator` provides a way to iterate
  over ``Futures`` in the order they resolve.
* The `tornado.websocket` module now supports compression via the
  "permessage-deflate" extension.  Override
  `.WebSocketHandler.get_compression_options` to enable on the server
  side, and use the ``compression_options`` keyword argument to
  `.websocket_connect` on the client side.
* When the appropriate packages are installed, it is possible to yield
  `asyncio.Future` or Twisted ``Defered`` objects in Tornado coroutines.

Backwards-compatibility notes

* `.HTTPServer` now calls ``start_request`` with the correct
  arguments.  This change is backwards-incompatible, afffecting any
  application which implemented `.HTTPServerConnectionDelegate` by
  following the example of `.Application` instead of the documented
  method signatures.


* If a `.Future` contains an exception but that exception is never
  examined or re-raised (e.g. by yielding the `.Future`), a stack
  trace will be logged when the `.Future` is garbage-collected.
* `.Future` now catches and logs exceptions in its callbacks.


* ``tornado.curl_httpclient`` now supports request bodies for ``PATCH``
  and custom methods.
* ``tornado.curl_httpclient`` now supports resubmitting bodies after
  following redirects for methods other than ``POST``.
* ``curl_httpclient`` now runs the streaming and header callbacks on
  the IOLoop.
* ``tornado.curl_httpclient`` now uses its own logger for debug output
  so it can be filtered more easily.


* New class `tornado.gen.WaitIterator` provides a way to iterate
  over ``Futures`` in the order they resolve.
* When the `~functools.singledispatch` library is available (standard on
  Python 3.4, available via ``pip install singledispatch`` on older versions),
  the `.convert_yielded` function can be used to make other kinds of objects
  yieldable in coroutines.
* New function `tornado.gen.sleep` is a coroutine-friendly
  analogue to `time.sleep`.
* `.gen.engine` now correctly captures the stack context for its callbacks.


* `tornado.httpclient.HTTPRequest` accepts a new argument
  ``raise_error=False`` to suppress the default behavior of raising an
  error for non-200 response codes.


* `.HTTPServer` now calls ``start_request`` with the correct
  arguments.  This change is backwards-incompatible, afffecting any
  application which implemented `.HTTPServerConnectionDelegate` by
  following the example of `.Application` instead of the documented
  method signatures.
* `.HTTPServer` now tolerates extra newlines which are sometimes inserted
  between requests on keep-alive connections.
* `.HTTPServer` can now use keep-alive connections after a request
  with a chunked body.
* `.HTTPServer` now always reports ``HTTP/1.1`` instead of echoing
  the request version.


* New function `tornado.httputil.split_host_and_port` for parsing
  the ``netloc`` portion of URLs.
* The ``context`` argument to `.HTTPServerRequest` is now optional,
  and if a context is supplied the ``remote_ip`` attribute is also optional.
* `.HTTPServerRequest.body` is now always a byte string (previously the default
  empty body would be a unicode string on python 3).
* Header parsing now works correctly when newline-like unicode characters
  are present.
* Header parsing again supports both CRLF and bare LF line separators.
* Malformed ``multipart/form-data`` bodies will always be logged
  quietly instead of raising an unhandled exception; previously
  the behavior was inconsistent depending on the exact error.


* The ``kqueue`` and ``select`` IOLoop implementations now report
  writeability correctly, fixing flow control in IOStream.
* When a new `.IOLoop` is created, it automatically becomes "current"
  for the thread if there is not already a current instance.
* New method `.PeriodicCallback.is_running` can be used to see
  whether the `.PeriodicCallback` has been started.


* `.IOStream.start_tls` now uses the ``server_hostname`` parameter
  for certificate validation.
* `.SSLIOStream` will no longer consume 100% CPU after certain error conditions.
* `.SSLIOStream` no longer logs ``EBADF`` errors during the handshake as they
  can result from nmap scans in certain modes.


* `~tornado.options.parse_config_file` now always decodes the config
  file as utf8 on Python 3.
* `tornado.options.define` more accurately finds the module defining the


* It is now possible to yield ``asyncio.Future`` objects in coroutines
  when the `~functools.singledispatch` library is available and
  ``tornado.platform.asyncio`` has been imported.
* New methods `tornado.platform.asyncio.to_tornado_future` and
  `~tornado.platform.asyncio.to_asyncio_future` convert between
  the two libraries' `.Future` classes.


* It is now possible to yield ``Deferred`` objects in coroutines
  when the `~functools.singledispatch` library is available and
  ``tornado.platform.twisted`` has been imported.


* `.TCPClient` will no longer raise an exception due to an ill-timed


* `.TCPServer` no longer ignores its ``read_chunk_size`` argument.


* `.AsyncTestCase` has better support for multiple exceptions. Previously
  it would silently swallow all but the last; now it raises the first
  and logs all the rest.
* `.AsyncTestCase` now cleans up `.Subprocess` state on ``tearDown`` when


* The `.asynchronous` decorator now understands `concurrent.futures.Future`
  in addition to `tornado.concurrent.Future`.
* `.StaticFileHandler` no longer logs a stack trace if the connection is
  closed while sending the file.
* `.RequestHandler.send_error` now supports a ``reason`` keyword
  argument, similar to `tornado.web.HTTPError`.
* `.RequestHandler.locale` now has a property setter.
* `.Application.add_handlers` hostname matching now works correctly with
  IPv6 literals.
* Redirects for the `.Application` ``default_host`` setting now match
  the request protocol instead of redirecting HTTPS to HTTP.
* Malformed ``_xsrf`` cookies are now ignored instead of causing
  uncaught exceptions.
* ``Application.start_request`` now has the same signature as


* The `tornado.websocket` module now supports compression via the
  "permessage-deflate" extension.  Override
  `.WebSocketHandler.get_compression_options` to enable on the server
  side, and use the ``compression_options`` keyword argument to
  `.websocket_connect` on the client side.
* `.WebSocketHandler` no longer logs stack traces when the connection
  is closed.
* `` now accepts ``*args, **kw`` for consistency
  with ``RequestHandler.get`` and related methods.
* The ``Sec-WebSocket-Version`` header now includes all supported versions.
* `.websocket_connect` now has a ``on_message_callback`` keyword argument
  for callback-style use without ``read_message()``.


Set version number to 4.1b2


Set version number to 4.1b1


What's new in Tornado 4.0.2

Sept 10, 2014

Bug fixes

* Fixed a bug that could sometimes cause a timeout to fire after being
* `.AsyncTestCase` once again passes along arguments to test methods,
  making it compatible with extensions such as Nose's test generators.
* `.StaticFileHandler` can again compress its responses when gzip is enabled.
* ``simple_httpclient`` passes its ``max_buffer_size`` argument to the
  underlying stream.
* Fixed a reference cycle that can lead to increased memory consumption.
* `.add_accept_handler` will now limit the number of times it will call
  `~socket.socket.accept` per `.IOLoop` iteration, addressing a potential
  starvation issue.
* Improved error handling in `.IOStream.connect` (primarily for FreeBSD


What's new in Tornado 4.0.1

Aug 12, 2014

* The build will now fall back to pure-python mode if the C extension
  fails to build for any reason (previously it would fall back for some
  errors but not others).
* `.IOLoop.call_at` and `.IOLoop.call_later` now always return
  a timeout handle for use with `.IOLoop.remove_timeout`.
* If any callback of a `.PeriodicCallback` or `.IOStream` returns a
  `.Future`, any error raised in that future will now be logged
  (similar to the behavior of `.IOLoop.add_callback`).
* Fixed an exception in client-side websocket connections when the
  connection is closed.
* ``simple_httpclient`` once again correctly handles 204 status
  codes with no content-length header.
* Fixed a regression in ``simple_httpclient`` that would result in
  timeouts for certain kinds of errors.


What's new in Tornado 4.0

July 15, 2014


* The `tornado.web.stream_request_body` decorator allows large files to be
  uploaded with limited memory usage.
* Coroutines are now faster and are used extensively throughout Tornado itself.
  More methods now return `Futures <.Future>`, including most `.IOStream`
  methods and `.RequestHandler.flush`.
* Many user-overridden methods are now allowed to return a `.Future`
  for flow control.
* HTTP-related code is now shared between the `tornado.httpserver`,
  ``tornado.simple_httpclient`` and `tornado.wsgi` modules, making support
  for features such as chunked and gzip encoding more consistent.
  `.HTTPServer` now uses new delegate interfaces defined in `tornado.httputil`
  in addition to its old single-callback interface.
* New module `tornado.tcpclient` creates TCP connections with non-blocking
  DNS, SSL handshaking, and support for IPv6.

Backwards-compatibility notes

* `tornado.concurrent.Future` is no longer thread-safe; use
  `concurrent.futures.Future` when thread-safety is needed.
* Tornado now depends on the `certifi <>`_
  package instead of bundling its own copy of the Mozilla CA list. This will
  be installed automatically when using ``pip`` or ``easy_install``.
* This version includes the changes to the secure cookie format first
  introduced in version :doc:`3.2.1 <v3.2.1>`, and the xsrf token change
  in version :doc:`3.2.2 <v3.2.2>`.  If you are upgrading from an earlier
  version, see those versions' release notes.
* WebSocket connections from other origin sites are now rejected by default.
  To accept cross-origin websocket connections, override
  the new method `.WebSocketHandler.check_origin`.
* `.WebSocketHandler` no longer supports the old ``draft 76`` protocol
  (this mainly affects Safari 5.x browsers).  Applications should use
  non-websocket workarounds for these browsers.
* Authors of alternative `.IOLoop` implementations should see the changes
  to `.IOLoop.add_handler` in this release.
* The ``RequestHandler.async_callback`` and ``WebSocketHandler.async_callback``
  wrapper functions have been removed; they have been obsolete for a long
  time due to stack contexts (and more recently coroutines).
* ``curl_httpclient`` now requires a minimum of libcurl version 7.21.1 and
  pycurl 7.18.2.
* Support for ``RequestHandler.get_error_html`` has been removed;
  override `.RequestHandler.write_error` instead.

Other notes

* The git repository has moved to
  All old links should be redirected to the new location.
* An `announcement mailing list
  <>`_ is now available.
* All Tornado modules are now importable on Google App Engine (although
  the App Engine environment does not allow the system calls used
  by `.IOLoop` so many modules are still unusable).


* Fixed a bug in `.FacebookMixin` on Python 3.
* When using the `.Future` interface, exceptions are more reliably delivered
  to the caller.


* `tornado.concurrent.Future` is now always thread-unsafe (previously
  it would be thread-safe if the `concurrent.futures` package was available).
  This improves performance and provides more consistent semantics.
  The parts of Tornado that accept Futures will accept both Tornado's
  thread-unsafe Futures and the thread-safe `concurrent.futures.Future`.
* `tornado.concurrent.Future` now includes all the functionality
  of the old ``TracebackFuture`` class.  ``TracebackFuture`` is now
  simply an alias for ``Future``.


* ``curl_httpclient`` now passes along the HTTP "reason" string
  in ``response.reason``.


* Performance of coroutines has been improved.
* Coroutines no longer generate ``StackContexts`` by default, but they
  will be created on demand when needed.
* The internals of the `tornado.gen` module have been rewritten to
  improve performance when using ``Futures``, at the expense of some
  performance degradation for the older `.YieldPoint` interfaces.
* New function `.with_timeout` wraps a `.Future` and raises an exception
  if it doesn't complete in a given amount of time.
* New object `.moment` can be yielded to allow the IOLoop to run for
  one iteration before resuming.
* `.Task` is now a function returning a `.Future` instead of a `.YieldPoint`
  subclass.  This change should be transparent to application code, but
  allows `.Task` to take advantage of the newly-optimized `.Future`


* New module contains the HTTP implementation shared by `tornado.httpserver`
  and ``tornado.simple_httpclient``.


* The command-line HTTP client (``python -m tornado.httpclient $URL``)
  now works on Python 3.
* Fixed a memory leak in `.AsyncHTTPClient` shutdown that affected
  applications that created many HTTP clients and IOLoops.
* New client request parameter ``decompress_response`` replaces
  the existing ``use_gzip`` parameter; both names are accepted.


* ``tornado.httpserver.HTTPRequest`` has moved to
* HTTP implementation has been unified with ``tornado.simple_httpclient``
  in `tornado.http1connection`.
* Now supports ``Transfer-Encoding: chunked`` for request bodies.
* Now supports ``Content-Encoding: gzip`` for request bodies if
  ``decompress_request=True`` is passed to the `.HTTPServer` constructor.
* The ``connection`` attribute of `.HTTPServerRequest` is now documented
  for public use; applications are expected to write their responses
  via the `.HTTPConnection` interface.
* The `.HTTPServerRequest.write` and `.HTTPServerRequest.finish` methods
  are now deprecated.  (`.RequestHandler.write` and `.RequestHandler.finish`
  are *not* deprecated; this only applies to the methods on
* `.HTTPServer` now supports `.HTTPServerConnectionDelegate` in addition to
  the old ``request_callback`` interface.  The delegate interface supports
  streaming of request bodies.
* `.HTTPServer` now detects the error of an application sending a
  ``Content-Length`` error that is inconsistent with the actual content.
* New constructor arguments ``max_header_size`` and ``max_body_size``
  allow separate limits to be set for different parts of the request.
  ``max_body_size`` is applied even in streaming mode.
* New constructor argument ``chunk_size`` can be used to limit the amount
  of data read into memory at one time per request.
* New constructor arguments ``idle_connection_timeout`` and ``body_timeout``
  allow time limits to be placed on the reading of requests.
* Form-encoded message bodies are now parsed for all HTTP methods, not just
  ``POST``, ``PUT``, and ``PATCH``.


* `.HTTPServerRequest` was moved to this module from `tornado.httpserver`.
* New base classes `.HTTPConnection`, `.HTTPServerConnectionDelegate`,
  and `.HTTPMessageDelegate` define the interaction between applications
  and the HTTP implementation.


* `.IOLoop.add_handler` and related methods now accept file-like objects
  in addition to raw file descriptors.  Passing the objects is recommended
  (when possible) to avoid a garbage-collection-related problem in unit tests.
* New method `.IOLoop.clear_instance` makes it possible to uninstall the
  singleton instance.
* Timeout scheduling is now more robust against slow callbacks.
* `.IOLoop.add_timeout` is now a bit more efficient.
* When a function run by the `.IOLoop` returns a `.Future` and that `.Future`
  has an exception, the `.IOLoop` will log the exception.
* New method `.IOLoop.spawn_callback` simplifies the process of launching
  a fire-and-forget callback that is separated from the caller's stack context.
* New methods `.IOLoop.call_later` and `.IOLoop.call_at` simplify the
  specification of relative or absolute timeouts (as opposed to
  `~.IOLoop.add_timeout`, which used the type of its argument).


* The ``callback`` argument to most `.IOStream` methods is now optional.
  When called without a callback the method will return a `.Future`
  for use with coroutines.
* New method `.IOStream.start_tls` converts an `.IOStream` to an
* No longer gets confused when an ``IOError`` or ``OSError`` without
  an ``errno`` attribute is raised.
* `.BaseIOStream.read_bytes` now accepts a ``partial`` keyword argument,
  which can be used to return before the full amount has been read.
  This is a more coroutine-friendly alternative to ``streaming_callback``.
* `.BaseIOStream.read_until` and ``read_until_regex`` now acept a
  ``max_bytes`` keyword argument which will cause the request to fail if
  it cannot be satisfied from the given number of bytes.
* `.IOStream` no longer reads from the socket into memory if it does not
  need data to satisfy a pending read.  As a side effect, the close callback
  will not be run immediately if the other side closes the connection
  while there is unconsumed data in the buffer.
* The default ``chunk_size`` has been increased to 64KB (from 4KB)
* The `.IOStream` constructor takes a new keyword argument
  ``max_write_buffer_size`` (defaults to unlimited).  Calls to
  `.BaseIOStream.write` will raise `.StreamBufferFullError` if the amount
  of unsent buffered data exceeds this limit.
* ``ETIMEDOUT`` errors are no longer logged.  If you need to distinguish
  timeouts from other forms of closed connections, examine ``stream.error``
  from a close callback.


* When `.bind_sockets` chooses a port automatically, it will now use
  the same port for IPv4 and IPv6.
* TLS compression is now disabled by default on Python 3.3 and higher
  (it is not possible to change this option in older versions).


* It is now possible to disable the default logging configuration
  by setting ``options.logging`` to ``None`` instead of the string ``"none"``.


* Now works on Python 2.6.
* Now works with Trollius version 0.3.


* `.TwistedIOLoop` now works on Python 3.3+ (with Twisted 14.0.0+).


* ``simple_httpclient`` has better support for IPv6, which is now enabled
  by default.
* Improved default cipher suite selection (Python 2.7+).
* HTTP implementation has been unified with ``tornado.httpserver``
  in `tornado.http1connection`
* Streaming request bodies are now supported via the ``body_producer``
  keyword argument to `tornado.httpclient.HTTPRequest`.
* The ``expect_100_continue`` keyword argument to
  `tornado.httpclient.HTTPRequest` allows the use of the HTTP ``Expect:
  100-continue`` feature.
* ``simple_httpclient`` now raises the original exception (e.g. an `IOError`)
  in more cases, instead of converting everything to ``HTTPError``.


* The stack context system now has less performance overhead when no
  stack contexts are active.


* New module which creates TCP connections and IOStreams, including
  name resolution, connecting, and SSL handshakes.


* `.AsyncTestCase` now attempts to detect test methods that are generators
  but were not run with ``@gen_test`` or any similar decorator (this would
  previously result in the test silently being skipped).
* Better stack traces are now displayed when a test times out.
* The ``@gen_test`` decorator now passes along ``*args, **kwargs`` so it
  can be used on functions with arguments.
* Fixed the test suite when ``unittest2`` is installed on Python 3.


* It is now possible to support streaming request bodies with the
  `.stream_request_body` decorator and the new `.RequestHandler.data_received`
* `.RequestHandler.flush` now returns a `.Future` if no callback is given.
* New exception `.Finish` may be raised to finish a request without
  triggering error handling.
* When gzip support is enabled, all ``text/*`` mime types will be compressed,
  not just those on a whitelist.
* `.Application` now implements the `.HTTPMessageDelegate` interface.
* ``HEAD`` requests in `.StaticFileHandler` no longer read the entire file.
* `.StaticFileHandler` now streams response bodies to the client.
* New setting ``compress_response`` replaces the existing ``gzip``
  setting; both names are accepted.
* XSRF cookies that were not generated by this module (i.e. strings without
  any particular formatting) are once again accepted (as long as the
  cookie and body/header match).  This pattern was common for
  testing and non-browser clients but was broken by the changes in
  Tornado 3.2.2.


* WebSocket connections from other origin sites are now rejected by default.
  Browsers do not use the same-origin policy for WebSocket connections as they
  do for most other browser-initiated communications.  This can be surprising
  and a security risk, so we disallow these connections on the server side
  by default.  To accept cross-origin websocket connections, override
  the new method `.WebSocketHandler.check_origin`.
* `.WebSocketHandler.close` and `.WebSocketClientConnection.close` now
  support ``code`` and ``reason`` arguments to send a status code and
  message to the other side of the connection when closing.  Both classes
  also have ``close_code`` and ``close_reason`` attributes to receive these
  values when the other side closes.
* The C speedup module now builds correctly with MSVC, and can support
  messages larger than 2GB on 64-bit systems.
* The fallback mechanism for detecting a missing C compiler now
  works correctly on Mac OS X.
* Arguments to `` are now decoded in the same way
  as arguments to `.RequestHandler.get` and similar methods.
* It is now allowed to override ``prepare`` in a `.WebSocketHandler`,
  and this method may generate HTTP responses (error pages) in the usual
  way.  The HTTP response methods are still not allowed once the
  WebSocket handshake has completed.


* New class `.WSGIAdapter` supports running a Tornado `.Application` on
  a WSGI server in a way that is more compatible with Tornado's non-WSGI
  `.HTTPServer`.  `.WSGIApplication` is deprecated in favor of using
  `.WSGIAdapter` with a regular `.Application`.
* `.WSGIAdapter` now supports gzipped output.


Set version number to 4.0b3.


Set version number to 4.0b2


Set version number to 4.0b1


What's new in Tornado 3.2.2

June 3, 2014

Security fixes

* The XSRF token is now encoded with a random mask on each request.
  This makes it safe to include in compressed pages without being
  vulnerable to the `BREACH attack <>`_.
  This applies to most applications that use both the ``xsrf_cookies``
  and ``gzip`` options (or have gzip applied by a proxy).

Backwards-compatibility notes

* If Tornado 3.2.2 is run at the same time as older versions on the same
  domain, there is some potential for issues with the differing cookie
  versions.  The `.Application` setting ``xsrf_cookie_version=1`` can
  be used for a transitional period to generate the older cookie format
  on newer servers.

Other changes

* ``tornado.platform.asyncio`` is now compatible with ``trollius`` version 0.3.
Something went wrong with that request. Please try again.