Redirects should not pass along the authorization header for security and usability reasons

microsoft / libHttpClient

libHttpClient provides a platform abstraction layer for HTTP and WebSocket, and is designed for use by the Microsoft Xbox Live Service API (XSAPI) [https://github.com/Microsoft/xbox-live-api] and game devs. If you want to contribute to the project, please talk to us to avoid overlap.

MIT License

277 stars 126 forks source link

Redirects should not pass along the authorization header for security and usability reasons #547

Open bbowman opened 4 years ago

bbowman commented 4 years ago

Apple does this by default (see https://github.com/Alamofire/Alamofire/issues/798) but it appears the Windows http implementation give flexibility here. To be consistent across platforms as well not leak auth tokens to other locations, the auth header should be removed.

jasonsandlin commented 4 years ago

Does your outstanding PR adds this for redirects for to the Windows HTTP path right? And prior to your change redirects happen but include the auth token is that right?