search

tornadoweb / tornado

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
http://www.tornadoweb.org/
Apache License 2.0
21.72k stars 5.5k forks source link

SimpleAsyncHTTPClient forwards Authorization headers to different hosts on redirect #2458

Open srcreigh opened 6 years ago

srcreigh commented 6 years ago

Reportedly cURL doesn't use the Authorization header if a request is redirected to a different host. See here for more info.

I ran into this just now with Twilio redirecting to AWS, and AWS rejecting the redirected request because it had the Twilio authorization. The same request using command-line curl works fine.

Using Tornado 5.0.

bdarnell commented 6 years ago

Good point. We've had some discussions about cookie handling on redirects before (#1452, #602), but not the Authorization header (Is there a standard list of headers that may need to be stripped on redirect? I couldn't find one). It's tricky because sometimes you need to keep the auth info (roughly speaking when you're redirecting within the same domain, although the rules are complex and different for cookies and HTTP auth).

In the meantime, you can set follow_redirects=False and handle redirects yourself.