Restore CLI precedence for web headers and HTTPS over web_dev_config.yaml

[Saqib198]

This PR restores the correct precedence behavior for web development server configuration. Since Flutter 3.38, CLI arguments were being ignored when web_dev_config.yaml was present — specifically for HTTPS and headers.

According to the design and documentation, the precedence should be:

1. Command-line arguments (highest priority)
2. web_dev_config.yaml
3. Built-in defaults (lowest priority)

Root Cause

The regression affected:

• HTTP headers — merge order was reversed, causing file config to override CLI
• HTTPS config — CLI TLS arguments were ignored under certain conditions

Note:
--web-port and --web-hostname were already working correctly due to the host ?? this.host and port ?? this.port pattern.
The observed issue was due to headers + HTTPS only.

Changes Made

• Fixed header merge order so CLI takes precedence
• Corrected HTTPS config resolution and precedence logic
• Unified logic across run and drive commands
• Simplified HTTPS handling using HttpsConfig.parse()
• Added tests for CLI precedence behavior

Before (broken)

flutter run -d chrome --web-tls-cert-path cert.pem

❌ CLI TLS args ignored when config file existed
❌ headers overridden by file config

After (fixed)

flutter run -d chrome --web-tls-cert-path cert.pem

✅ CLI TLS args respected
✅ headers override config as expected

Tests

• Added tests verifying CLI takes precedence
• All existing and new tests pass
• No breaking changes introduced

Fixes

Fixes: #179014

[flutter-dashboard]

It looks like this pull request may not have tests. Please make sure to add tests or get an explicit test exemption before merging.

If you are not sure if you need tests, consider this rule of thumb: the purpose of a test is to make sure someone doesn't accidentally revert the fix. Ask yourself, is there anything in your PR that you feel it is important we not accidentally revert back to how it was before your fix?

Reviewers: Read the Tree Hygiene page and make sure this patch meets those guidelines before LGTMing. If you believe this PR qualifies for a test exemption, contact "@test-exemption-reviewer" in the #hackers channel in Discord (don't just cc them here, they won't see it!). The test exemption team is a small volunteer group, so all reviewers should feel empowered to ask for tests, without delegating that responsibility entirely to the test exemption group.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Code Review

This pull request adjusts the configuration loading logic to ensure that command-line arguments have precedence over settings in web_dev_config.yaml. The changes affect how HTTPS configuration and web server headers are processed in the drive and run commands. Specifically, the order of merging headers is corrected in WebDevServerConfig.copyWith, and the logic for determining HttpsConfig is updated in both DriveCommand and RunCommand. While the changes are mostly correct, I've identified a logical flaw in drive.dart where CLI arguments for HTTPS are incorrectly ignored if a configuration file is not present, and I've provided a suggestion to align it with the correct implementation in run.dart.

[Saqib198]

Thanks for the review!
You're absolutely right — the previous logic in drive.dart was incorrectly depending on fileConfig != null, which caused CLI HTTPS arguments to be ignored when no config file was present.

I've updated the logic to match run.dart so that:

CLI arguments always take precedence

File config works only as a fallback

HTTPS config is correctly applied even without web_dev_config.yaml

Please let me know if anything else is needed.

[bkonyi]

Thanks for the PR @Saqib198!

This looks good to me in general, with a couple of minor suggestions. Also, this will need a test before it can be submitted.

[bkonyi]

Consider doing this instead (also in drive.dart):

final HttpsConfig? httpsConfig = (fileConfig.https ?? HttpsConfig()).copyWith(
  certPath: stringArg('web-tls-cert-path'),
  certKeyPath: stringArg('web-tls-cert-key-path'),
);

[Saqib198]

Thanks for the suggestion @bkonyi!

I tried implementing it, but HttpsConfig() cannot be instantiated without arguments since both certPath and certKeyPath are required parameters in the constructor:

const HttpsConfig({required this.certPath, required this.certKeyPath});

Instead, I've simplified the code using HttpsConfig.parse() which handles all the cases cleanly:

final HttpsConfig? httpsConfig = HttpsConfig.parse(
stringArg('web-tls-cert-path') ?? fileConfig.https?.certPath,
stringArg('web-tls-cert-key-path') ?? fileConfig.https?.certKeyPath,
);

This achieves the same simplification (reduced from 15 lines to 4 lines) while:

• CLI args take precedence over file config
• Falls back to file config values when CLI args not provided
• Returns null if neither provides both values
• Throws ArgumentError if only one path is provided (existing behavior)

I've also added tests for CLI precedence as requested. Let me know if you'd like any changes!

[kevmoo]

@Saqib198 – I moved things into this shared function so we have fewer places to keep this logic up-to-date!

[kevmoo]

I took over a bit to fix the analyzer and format issue and to do a tiny bit of cleanup

[Saqib198]

Hi @mdebbar 👋
Just a gentle ping on this when you get a chance.
All tests are green and @kevmoo has already applied cleanup/refactors.
Thanks!

[mdebbar]

Sorry for the delay here!

Help me understand. The way I'm seeing this PR, it seems to fix the precedence for https and headers. It doesn't change the precedence for the other mentioned arguments: web-port, web-hostname. Are those already working correctly, or am I missing something?

[kevmoo]

Yeah, these should all be changed, too – right? @Saqib198

RE comments from @mdebbar

[mdebbar]

I believe the way they are now is correct. But the issue says web-port's and web-hostname's precedence is incorrect, which is confusing.

[kevmoo]

Ah!

I get it.

By putting headers after this.headers, it overwrites.

But with port and host, the ?? has things the other way.

So it reads weird, but I think the code as it is now is correct.

[kevmoo]

But I agree, I see no code changes for anything but headers.

So was it really broken? Or are we missing something?

[Saqib198]

Thanks for calling this out — happy to clarify.

You’re right that web-port and web-hostname already had correct CLI > file precedence.
They use the pattern:

host: host ?? this.host,
port: port ?? this.port,

where host / port come from the CLI layer, so CLI values correctly override
web_dev_config.yaml today.

The regression introduced in 3.38 specifically affected:
• headers (due to merge order: {...?headers, ...this.headers})
• HTTPS config (due to conditional logic that ignored CLI TLS args when file config
was present or missing)

That’s why this PR only changes:
• header merge order
• HTTPS config resolution

The issue description mentioned web-port / web-hostname because the symptom users
observed was “CLI args ignored”, but the actual root cause was headers + HTTPS.
Port/hostname were already behaving correctly, so no change was needed there.

Happy to update the PR description or issue wording if that helps reduce confusion.

[mdebbar]

Ok, that makes more sense. Thanks for clarifying!

I would say yes let's update the issue and PR descriptions. If it confused me and @kevmoo, I'm sure it'll confuse more people later when they look at the history of this code.

[mdebbar]

[mdebbar]

@bkonyi does this look good to you? I think we need a 2nd approval to merge.

[Saqib198]

Hi @bkonyi 👋
All requested changes are addressed, tests are added, and the PR description is updated.
has been clarified per @mdebbar’s feedback.

Whenever you get a chance, please take a look.
Thanks a lot!

[auto-submit]

autosubmit label was removed for flutter/flutter/179639, because The base commit of the PR is older than 7 days and can not be merged. Please merge the latest changes from the main into this branch and resubmit the PR.

[auto-submit]

autosubmit label was removed for flutter/flutter/179639, because - The status or check suite Google testing has failed. Please fix the issues identified (or deflake) before re-applying this label.