This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author artem.smotrakov
Recipients Ivan.Pozdeev, alex, artem.smotrakov, jwilk, orsenthil
Date 2018-06-18.13:04:05
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1529327045.13.0.56676864532.issue33661@psf.upfronthosting.co.za>
In-reply-to
Content 
If I am not missing something, section 6.4 of RFC 7231 doesn't explicitly discuss that all headers should be sent. I wish it did :)

I think that an Authorization header for host A may make sense for host B if both A and B use the same database with user credentials. I am not sure that modern authentication mechanisms like OAuth rely on this fact (although I need to check the specs to make sure).

Sending a Cookie header to a different domain looks like a violation of the same-origin policy to me. RFC 6265 says something about it

https://tools.ietf.org/html/rfc6265#section-5.4

curl was recently updated to filter out Authorization headers in case of a redirect to another host. Chrome and Firefox don't sent either Authorization or Cookie headers while handling a redirect. It doesn't seem to be a disaster for them :)
History
Date User Action Args
2018-06-18 13:04:05artem.smotrakovsetrecipients: + artem.smotrakov, orsenthil, jwilk, alex, Ivan.Pozdeev
2018-06-18 13:04:05artem.smotrakovsetmessageid: <1529327045.13.0.56676864532.issue33661@psf.upfronthosting.co.za>
2018-06-18 13:04:05artem.smotrakovlinkissue33661 messages
2018-06-18 13:04:05artem.smotrakovcreate