>From 5a3c80ca5323cde23eca4638a28e4f8cc28dd2df Mon Sep 17 00:00:00 2001 From: Thomas Fitzsimmons Date: Sun, 6 Sep 2015 15:56:53 -0400 Subject: [PATCH 2/2] Do not include authorization header in an HTTP redirect * lisp/url/url-http.el (url-http-parse-headers): Do not automatically include Authorization header in redirect. --- lisp/url/url-http.el | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lisp/url/url-http.el b/lisp/url/url-http.el index 6a7d8e2..b5c1a33 100644 --- a/lisp/url/url-http.el +++ b/lisp/url/url-http.el @@ -646,6 +646,12 @@ should be shown to the user." ;; compute the redirection relative to the URL of the proxy. (setq redirect-uri (url-expand-file-name redirect-uri url-http-target-url))) + ;; Do not automatically include an authorization header in the + ;; redirect. If needed it will be regenerated by the relevant + ;; auth scheme when the new request happens. + (setq url-http-extra-headers + (cl-remove "Authorization" + url-http-extra-headers :key 'car :test 'equal)) (let ((url-request-method url-http-method) (url-request-data url-http-data) (url-request-extra-headers url-http-extra-headers)) -- 1.8.3.1