Ivan Pozdeev <ivan_pozd...@mail.ru> added the comment: According to https://stackoverflow.com/questions/1969709/how-to-forward-headers-on-http-redirect , there's nothing in the specs that mention (even the possibility) of any special request header processing.
According to https://tools.ietf.org/html/rfc7231#section-6.4 , redirection targets are to be treated as effectively equal to the original URL. So, there aren't any grounds for the proposed filtering from web standards' POV. Neither are there from security POV: once you have given your credentials to a server, it is free to do whatever it wants with them. So, by giving them, you have effectively put down your signature that you trust the server with your data -- which implies trusting its advice where to resend it. The server could as well do that resending itself and passed you the end result. So, your proposed filtering does not actually achieve anything meaningful.1 ---------- nosy: +Ivan.Pozdeev _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue33661> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
