1) The section you refer to is 1.2 of RFC2617, which specifies the details on
Access Authentication in General and not specific to url redirects. So, I don't
think we should take it as a referece.

2) Under the section - 3.3 Digest Operation, the Authentication cases under
redirection is provided like this. (search for keyword 'redirect')

"""
The client will retry the request, at which time the server might respond with a 301/302 redirection, pointing to the URI on the second server. The client will follow the redirection, and pass an Authorization header , including the <opaque> data...
"""

This basically states that Authorization header should be passed on the
redirects in Digest authentication case and (should we assume in Basic
Authentication case also?) If yes, then urllib2 is actually doing the same
thing.  Do you have a practical scenario where this has resulted in failure/
security loophole?