What’s new in Tornado 6.3.0

Apr 17, 2023

Highlights

• The new Application setting xsrf_cookie_name can now be used to take advantage of the __Host cookie prefix for improved security. To use it, add {"xsrf_cookie_name": "__Host-xsrf", "xsrf_cookie_kwargs": {"secure": True}} to your Application settings. Note that this feature currently only works when HTTPS is used.

• WSGIContainer now supports running the application in a ThreadPoolExecutor so the event loop is no longer blocked.

• AsyncTestCase and AsyncHTTPTestCase, which were deprecated in Tornado 6.2, are no longer deprecated.

• WebSockets are now much faster at receiving large messages split into many fragments.

General changes

• Python 3.7 is no longer supported; the minimum supported Python version is 3.8. Python 3.12 is now supported.

• To avoid spurious deprecation warnings, users of Python 3.10 should upgrade to at least version 3.10.9, and users of Python 3.11 should upgrade to at least version 3.11.1.

• Tornado submodules are now imported automatically on demand. This means it is now possible to use a single import tornado statement and refer to objects in submodules such as tornado.web.RequestHandler.

Deprecation notices

• In Tornado 7.0, tornado.testing.ExpectLog will match WARNING and above regardless of the current logging configuration, unless the level argument is used.

• RequestHandler.get_secure_cookie is now a deprecated alias for RequestHandler.get_signed_cookie. RequestHandler.set_secure_cookie is now a deprecated alias for RequestHandler.set_signed_cookie.

• RequestHandler.clear_all_cookies is deprecated. No direct replacement is provided; RequestHandler.clear_cookie should be used on individual cookies.

• Calling the IOLoop constructor without a make_current argument, which was deprecated in Tornado 6.2, is no longer deprecated.

• AsyncTestCase and AsyncHTTPTestCase, which were deprecated in Tornado 6.2, are no longer deprecated.

• AsyncTestCase.get_new_ioloop is deprecated.

tornado.auth

• New method GoogleOAuth2Mixin.get_google_oauth_settings can now be overridden to get credentials from a source other than the Application settings.

tornado.gen

• contextvars now work properly when a @gen.coroutine calls a native coroutine.

tornado.options

• parse_config_file now recognizes single comma-separated strings (in addition to lists of strings) for options with multiple=True.

tornado.web

• New Application setting xsrf_cookie_name can be used to change the name of the XSRF cookie. This is most useful to take advantage of the __Host- cookie prefix.

• RequestHandler.get_secure_cookie and RequestHandler.set_secure_cookie (and related methods and attributes) have been renamed to get_signed_cookie and set_signed_cookie. This makes it more explicit what kind of security is provided, and avoids confusion with the Secure cookie attribute and __Secure- cookie prefix. The old names remain supported as deprecated aliases.

• RequestHandler.clear_cookie now accepts all keyword arguments accepted by set_cookie. In some cases clearing a cookie requires certain arguments to be passed the same way in which it was set.

• RequestHandler.clear_all_cookies now accepts additional keyword arguments for the same reason as clear_cookie. However, since the requirements for additional arguments mean that it cannot reliably clear all cookies, this method is now deprecated.

tornado.websocket

• It is now much faster (no longer quadratic) to receive large messages that have been split into many fragments.

• websocket_connect now accepts a resolver parameter.

tornado.wsgi

• WSGIContainer now accepts an executor parameter which can be used to run the WSGI application on a thread pool.