[whatwg/fetch] Remove Authorization header upon cross-origin redirect (PR #1544)

The behavior defined here is such that if you go A1 -> B -> A2, A2 doesn't see the header. I think that's what we want. If you go A1 -> A2 -> B, B won't see the header. (A1 is making the initial request in both scenarios.)

Tests: ...

Fixes #944.

<!--
Thank you for contributing to the Fetch Standard! Please describe the change you are making and complete the checklist below if your change is not editorial.
-->

- [ ] At least two implementers are interested (and none opposed):
   * WebKit
   * …
- [ ] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
   * …
- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
   * Chromium: …
   * Gecko: …
   * WebKit: …
   * Deno (not for CORS changes): …
- [ ] [MDN issue](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) is filed: …

(See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)

You can view, comment on, or merge this pull request online at:

  https://github.com/whatwg/fetch/pull/1544


-- Commit Summary --

  * Remove Authorization header upon cross-origin redirect

-- File Changes --

    M fetch.bs (17)

-- Patch Links --

https://github.com/whatwg/fetch/pull/1544.patch

https://github.com/whatwg/fetch/pull/1544.diff


-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1544

You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1544@github.com>

Received on Monday, 21 November 2022 16:30:53 UTC