Message319880
If I am not missing something, section 6.4 of RFC 7231 doesn't explicitly discuss that all headers should be sent. I wish it did :)
I think that an Authorization header for host A may make sense for host B if both A and B use the same database with user credentials. I am not sure that modern authentication mechanisms like OAuth rely on this fact (although I need to check the specs to make sure).
Sending a Cookie header to a different domain looks like a violation of the same-origin policy to me. RFC 6265 says something about it
https://tools.ietf.org/html/rfc6265#section-5.4
curl was recently updated to filter out Authorization headers in case of a redirect to another host. Chrome and Firefox don't sent either Authorization or Cookie headers while handling a redirect. It doesn't seem to be a disaster for them :) |
|
Date |
User |
Action |
Args |
2018-06-18 13:04:05 | artem.smotrakov | set | recipients:
+ artem.smotrakov, orsenthil, jwilk, alex, Ivan.Pozdeev |
2018-06-18 13:04:05 | artem.smotrakov | set | messageid: <1529327045.13.0.56676864532.issue33661@psf.upfronthosting.co.za> |
2018-06-18 13:04:05 | artem.smotrakov | link | issue33661 messages |
2018-06-18 13:04:05 | artem.smotrakov | create | |
|