Do not include authorization header in an HTTP redirect

author Thomas Fitzsimmons <fitzsim@fitzsim.org>

Wed, 23 Sep 2015 05:45:29 +0000 (01:45 -0400)

committer Thomas Fitzsimmons <fitzsim@fitzsim.org>

Wed, 23 Sep 2015 05:58:13 +0000 (01:58 -0400)
author Thomas Fitzsimmons <fitzsim@fitzsim.org>
Wed, 23 Sep 2015 05:45:29 +0000 (01:45 -0400)
committer Thomas Fitzsimmons <fitzsim@fitzsim.org>
Wed, 23 Sep 2015 05:58:13 +0000 (01:58 -0400)
diff --git a/lisp/url/url-http.el b/lisp/url/url-http.el

index 6a7d8e2c94716cbb23bf051e9e35337c6020346e..7367a1eb3e9ceb1298cec58e95dcbd660cc2bfd3 100644 (file)
--- a/lisp/url/url-http.el
+++ b/lisp/url/url-http.el
@@ -25,8 +25,8 @@
  
  ;;; Code:
  
+(require 'cl-lib)
  (eval-when-compile
-  (require 'cl-lib)
    (require 'subr-x))
  
  (defvar url-callback-arguments)
@@ -646,6 +646,12 @@ should be shown to the user."
                 ;; compute the redirection relative to the URL of the proxy.
                (setq redirect-uri
                      (url-expand-file-name redirect-uri url-http-target-url)))
+          ;; Do not automatically include an authorization header in the
+          ;; redirect.  If needed it will be regenerated by the relevant
+          ;; auth scheme when the new request happens.
+          (setq url-http-extra-headers
+                (cl-remove "Authorization"
+                           url-http-extra-headers :key 'car :test 'equal))
             (let ((url-request-method url-http-method)
                  (url-request-data url-http-data)
                  (url-request-extra-headers url-http-extra-headers))
author	Thomas Fitzsimmons <fitzsim@fitzsim.org>
	Wed, 23 Sep 2015 05:45:29 +0000 (01:45 -0400)
committer	Thomas Fitzsimmons <fitzsim@fitzsim.org>
	Wed, 23 Sep 2015 05:58:13 +0000 (01:58 -0400)