Indeed, curl does the same thing:
https://curl.haxx.se/docs/CVE-2018-1000007.html

But it seems to only strip the Authorization header if the redirect is on
another host:

https://github.com/curl/curl/commit/af32cd3859336ab.patch

On Fri, Sep 20, 2019 at 10:36 PM Lars Ingebrigtsen <larsi@gnus.org> wrote:

> Romain Ouabdelkader <romain.ouabdelkader@gmail.com> writes:
>
> > I have an issue with the 'url-retrieve' function:
> > If the target url returns a redirect, the 'Authorization' header is not
> > sent on the redirect url.
>
> This is apparently on purpose:
>
>            ;; Do not automatically include an authorization header in the
>            ;; redirect.  If needed it will be regenerated by the relevant
>            ;; auth scheme when the new request happens.
>            (setq url-http-extra-headers
>                  (cl-remove "Authorization"
>                             url-http-extra-headers :key 'car :test 'equal))
>
> It's from this patch:
>
> commit 325200ac1dcf5bed6918ea827d8a48d89487e083
> Author: Thomas Fitzsimmons <fitzsim@fitzsim.org>
> Date:   Wed Sep 23 01:45:29 2015 -0400
>
>     Do not include authorization header in an HTTP redirect
>
>     * lisp/url/url-http.el (url-http-parse-headers): Do not
>     automatically include Authorization header in redirect.
>     (Bug#21350)
>
> And I think that makes sense -- when there's a redirect, the domain may
> be new, and the auth should perhaps not be sent there.
>
> I've had a look at the standards, but I can't see that they say anything
> about this, so I think that perhaps this works as it's supposed to.  But
> I haven't checked what Firefox does, for instance.
>
> --
> (domestic pets only, the antidote for overdose, milk.)
>    bloggy blog: http://lars.ingebrigtsen.no
>