Details
-
Bug
-
Resolution: Unresolved
-
P2: Important
-
None
-
5.13.2
Description
With FollowRedirectsAttribute enabled, the Authorization header is not being removed from the request headers when the request redirects to a different origin.
If the new request doesn't match the existing request's hostname; the "Authorization" header must be removed before sending the second request. Currently, this will leak the contents of the header to the destination server.