Clear fewer headers on 1xx/204/304 responses

This function is called on more than just 304 responses; it’s
important to permit the Allow header on 204 responses.  Also, the
relevant RFCs have changed significantly.

Fixes tornadoweb#2726.

Signed-off-by: Anders Kaseorg <[email protected]>

Author: andersk

tornado/web.py

@@ -1138,7 +1138,7 @@ def finish(self, chunk: Optional[Union[str, bytes, dict]] = None) -> "Future[Non
                 assert not self._write_buffer, (
                     "Cannot send body with %s" % self._status_code
                 )
-                self._clear_headers_for_304()
+                self._clear_representation_headers()
             elif "Content-Length" not in self._headers:
                 content_length = sum(len(part) for part in self._write_buffer)
                 self.set_header("Content-Length", content_length)
@@ -1803,20 +1803,15 @@ def render(*args, **kwargs) -> str:  # type: ignore
     def _ui_method(self, method: Callable[..., str]) -> Callable[..., str]:
         return lambda *args, **kwargs: method(self, *args, **kwargs)
 
-    def _clear_headers_for_304(self) -> None:
-        # 304 responses should not contain entity headers (defined in
-        # http://www.w3.org/Protocols/rfc2616/rfc2616-sec7.html#sec7.1)
+    def _clear_representation_headers(self) -> None:
+        # 304 responses should not representation metadata headers (defined in
+        # https://tools.ietf.org/html/rfc7231#section-3.1)
         # not explicitly allowed by
-        # http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.5
+        # https://tools.ietf.org/html/rfc7232#section-4.1
         headers = [
-            "Allow",
             "Content-Encoding",
             "Content-Language",
-            "Content-Length",
-            "Content-MD5",
-            "Content-Range",
             "Content-Type",
-            "Last-Modified",
         ]
         for h in headers:
             self.clear_header(h)