HttpClient should drop authorization headers when following redirects to different hosts by default

[Hixie]

I can't find evidence in the standards to support this, but it seems to be standard practice to drop Authorization headers when handling a cross-origin redirect, to avoid leaking credentials when the host has been tricked into sending redirects somehow.

See e.g.
https://stackoverflow.com/questions/17092259/should-authorization-be-kept-when-redirection-is-handled

[bleroux]

For reference, how curl deals with this :
https://curl.se/docs/CVE-2018-1000007.html

• drops authorization headers when handling a redirect to another host (doesn't drop if same host and different port).
• doesn't drop if --location-trusted option is used

[satamas]

That's not only a security issue but a usability issue also. For example, if have a server with an authorization that redirects to S3 it leads to an error because S3 tries to use provided authorization header. We have faced it implementing dart packages repositories support in our tool and we weren't the first one https://stackoverflow.com/questions/63694476/how-to-remove-authorization-header-on-redirect-on-any-flutter-dart-http-client

[dtretyakov]

How the same security issue was addressed in Ktor HttpClient: ktorio/ktor@0c10815

[brianquinlan]

Duplicate of #45410