Don't send credentials when redirected to the pool

[paulmillar]

Transfers (uploads or downloads) are done using a WebDAV door. This is a GET or PUT request. For username+password, OIDC or Macaroon-based authentication, the GET or PUT request will include an Authorization HTTP header that contains the credential.

The door may (perhaps "should") redirect the client to the pool so that the transfer is not relayed through the door. When the door does this, the redirection URL contains a single-use token that authorises the transfer.

Currently, when dCacheView is redirected to the pool, it will include the credential in the request.

Beyond simply being redundant, this is bad as the WebDAV door may redirect the client to an unencrypted connection when connecting to the pool.

[paulmillar]

This looks like a problem with the Fetch API, but one that has been reported (see whatwg/fetch#944).

Right now, there seems to be no way to prevent the browser from sending credentials to the pool if the WebDAV door responds with a redirect.

[paulmillar]

The upstream bug (whatwg/fetch#944) is now closed by updating the live document. Insecure headers (including Authorization) are dropped on cross-origin requests.

Note that the different implementations (browsers) may lag in implementing this update.