Katsuhiko YOSHIDA added the comment:
Hi,
I agree with this suggestion.
First, section 6.4. "Redirection 3xx" of RFC 7231 doesn't explicitly explain
whether to send all headers (including Authorization).
I have confirmed that some third-party-library, tool, Programing La
Katsuhiko YOSHIDA added the comment:
Thanks. But I think the “add_unredirected_header” is not enough.
These sensitive headers should be removed only when redirecting to cross-site
automatically for security like HTTPBasicAuthHandler of urllib2. In order to
fulfill this requirement, I think
Katsuhiko YOSHIDA added the comment:
According to RFC7235 (https://tools.ietf.org/html/rfc7235#section-4.1),
WWW-Authenticate header is sent from server to client. And it has not
credential data.
Also, Cookie2 header is already obsoleted by RFC6295
(https://tools.ietf.org/html/rfc6265
New submission from Katsuhiko YOSHIDA :
My schema of sqlite3 table is the following.
--- schema check start ---
% sqlite3 sample.db
SQLite version 3.16.0 2016-11-04 19:09:39
Enter ".help" for usage hints.
sqlite> PRAGMA table_info(Employees);
0|EmployeeID|int|1||1
1|LastName|varch
