>From 26b71ed091d23853d1345295004a93c28ef287b9 Mon Sep 17 00:00:00 2001
From: Thomas Fitzsimmons <address@hidden>
Date: Tue, 25 Aug 2015 22:27:44 -0400
Subject: [PATCH] Do not include authorization header in an HTTP redirect

* lisp/url/url-http.el (url-http-parse-headers): Do not
automatically include Authorization header in redirect.
---
 lisp/url/url-http.el | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lisp/url/url-http.el b/lisp/url/url-http.el
index 6a7d8e2..4f3213d 100644
--- a/lisp/url/url-http.el
+++ b/lisp/url/url-http.el
@@ -646,6 +646,15 @@ (defun url-http-parse-headers ()
                ;; compute the redirection relative to the URL of the proxy.
 	       (setq redirect-uri
 		     (url-expand-file-name redirect-uri url-http-target-url)))
+	   ;; Don't automatically include authorization header in redirect.
+	   ;; If needed it will be regenerated by the relevant auth scheme
+	   ;; when the new request happens.
+	   (setq url-http-extra-headers
+		 (let (result)
+		   (dolist (header url-http-extra-headers)
+		     (if (not (equal (car header) "Authorization"))
+			 (push header result)))
+		   (nreverse result)))
            (let ((url-request-method url-http-method)
 		 (url-request-data url-http-data)
 		 (url-request-extra-headers url-http-extra-headers))
-- 
2.4.2