Ben Darnell

Your code looks fine to me; I'm not sure what might be going on. It could be a bug in Tornado. For example, we have an unresolved bug that can...

Cool, I'm glad you found something that works for you. It does appear that you've found a bug that is allowing multiple AsyncHTTPClient objects to be created instead of reusing...

My assumption has been that you wouldn't mix IOLoop and asyncio event loop control methods in the same app: you could use IOLoop.run_sync instead of asyncio.run, but in that case...

Hmm, I've never seen that and I'm not quite sure how you'd get there. Are you overriding RequestHandler._execute somehow?

> there is an options method decorated with tornado.gen.coroutine, no yields just returns. Should that the be source of the _NullFuture? No, tornado.gen.coroutine should still use a real future in...

I think the original idea was that you'd delay the initial creation of the `xsrf_token` until the user had logged in. I'm not sure why it sets a session-scoped cookie...

With the introduction of SameSite cookies, Tornado's `xsrf_cookies` system is obsolete. I intend to deprecate it which means that issues like this one will go unfixed (I do not intend...

Tornado is definitely a product of the View Source era of web development and Postel's law - there are probably a lot of places like this where we're more permissive...

> Or use something like watchman, which supports many modes and has proven to work with a huge amounts of files. Watchman is used in javascript land quite a lot...

What exactly do you mean by "HTTP Host header vulnerability"? Is it the same as DNS rebinding, discussed in #2256, or is there something more? The docs added in https://github.com/tornadoweb/tornado/pull/2297/files...