Open srcreigh opened 6 years ago
Good point. We've had some discussions about cookie handling on redirects before (#1452, #602), but not the Authorization
header (Is there a standard list of headers that may need to be stripped on redirect? I couldn't find one). It's tricky because sometimes you need to keep the auth info (roughly speaking when you're redirecting within the same domain, although the rules are complex and different for cookies and HTTP auth).
In the meantime, you can set follow_redirects=False
and handle redirects yourself.
Reportedly cURL doesn't use the
Authorization
header if a request is redirected to a different host. See here for more info.I ran into this just now with Twilio redirecting to AWS, and AWS rejecting the redirected request because it had the Twilio authorization. The same request using command-line curl works fine.
Using Tornado 5.0.