bpo-33661: Clear Authorization header when redirect to cross-site

[kyoshidajp]

https://bugs.python.org/issue33661

https://bugs.python.org/issue33661

[the-knights-who-say-ni]

Hello, and thanks for your contribution!

I'm a bot set up to make sure that the project can legally accept your contribution by verifying you have signed the PSF contributor agreement (CLA).

Our records indicate we have not received your CLA. For legal reasons we need you to sign this before we can look at your contribution. Please follow the steps outlined in the CPython devguide to rectify this issue.

If you have recently signed the CLA, please wait at least one business day
before our records are updated.

You can check yourself to see if the CLA has been received.

Thanks again for your contribution, we look forward to reviewing it!

[eamanu]

According to https://bugs.python.org/msg317793. The problem is that both authorization and cookies are sent on the redirect. Here I don't see the filter for Cookies. That is not necessary?

[kyoshidajp]

@eamanu Thanks. It slipped my mind. I will add it. BTW, should I add other sensitive headers (WWW-Authenticate, Cookie2), too?

[eamanu]

@eamanu Thanks. It slipped my mind. I will add it. BTW, should I add other sensitive headers (WWW-Authenticate, Cookie2), too?

I will put it in bugs.python for discuss

[bedevere-bot]

Most changes to Python require a NEWS entry.

Please add it using the blurb_it web app or the blurb command-line tool.

[github-actions]

This PR is stale because it has been open for 30 days with no activity.