History of changes

v0.9.0 (2019-05-15)

Bug fixes:

  • Allow a broader range of characters in header values. This violates the RFC, but is apparently required for compatibility with real-world code, like Google Analytics cookies (#57, #58).
  • Validate incoming and outgoing request paths for invalid characters. This prevents a variety of potential security issues that have affected other HTTP clients. (#69).
  • Force status codes to be integers, thereby allowing stdlib HTTPStatus IntEnums to be used when constructing responses (#72).

Other changes:

  • Make all sentinel values inspectable by IDEs, and split SEND_BODY_DONE into SEND_BODY, and DONE (#75).
  • Drop support for Python 3.3.
  • LocalProtocolError raised in start_next_cycle now shows states for more informative errors (#80).

v0.8.1 (2018-04-14)

Bug fixes:

  • Always return headers as bytes objects (#60)

Other changes:

  • Added proper license notices to the Javascript used in our documentation (#61)

v0.8.0 (2018-03-20)

Backwards incompatible changes:

  • h11 now performs stricter validation on outgoing header names and header values: illegal characters are now rejected (example: you can’t put a newline into an HTTP header), and header values with leading/trailing whitespace are also rejected (previously h11 would silently discard the whitespace). All these checks were already performed on incoming headers; this just extends that to outgoing headers.

New features:

Bug fixes:

  • Make sure that when computing the framing headers for HEAD responses, we produce the same results as we would for the corresponding GET.
  • Error out if a request has multiple Host: headers.
  • Send the Host: header first, as recommended by RFC 7230.
  • The Expect: header is case-insensitive, so use case-insensitive matching when looking for 100-continue.

Other changes:

  • Better error messages in several cases.
  • Provide correct error_status_hint in exception raised when encountering an invalid Transfer-Encoding header.
  • For better compatibility with broken servers, h11 now tolerates responses where the reason phrase is missing (not just empty).
  • Various optimizations and documentation improvements.

v0.7.0 (2016-11-25)

New features (backwards compatible):

Bug fixes:

  • Fix the error message given when a call to an event constructor is missing a required keyword argument (issue #14).
  • Fixed encoding of empty Data events (Data(data=b"")) when using chunked encoding (issue #21).

v0.6.0 (2016-10-24)

This is the first release since we started using h11 to write non-trivial server code, and this experience triggered a number of substantial API changes.

Backwards incompatible changes:

  • Split the old receive_data() into the new receive_data() and next_event(), and replaced the old Paused pseudo-event with the new NEED_DATA and PAUSED sentinels.
  • Simplified the API by replacing the old Connection.state_of(), Connection.client_state, Connection.server_state with the new Connection.states.
  • Renamed the old prepare_to_reuse() to the new start_next_cycle().
  • Removed the Paused pseudo-event.

Backwards compatible changes:

  • State machine: added a DONE -> MUST_CLOSE transition triggered by our peer being in the ERROR state.
  • Split ProtocolError into LocalProtocolError and RemoteProtocolError (see Error handling). Use case: HTTP servers want to be able to distinguish between an error that originates locally (which produce a 500 status code) versus errors caused by remote misbehavior (which produce a 4xx status code).
  • Changed the PRODUCT_ID from h11/<verson> to python-h11/<version>. (This is similar to what requests uses, and much more searchable than plain h11.)

Other changes:

  • Added a minimal benchmark suite, and used it to make a few small optimizations (maybe ~20% speedup?).

v0.5.0 (2016-05-14)

  • Initial release.