It doesn't forward the auth on the first example I sent with flask.
I'm adding the header in 'url-request-extra-headers',
perhaps there is another way to do it.

On Sat, Sep 21, 2019 at 9:41 AM Lars Ingebrigtsen <larsi@gnus.org> wrote:

> Romain Ouabdelkader <romain.ouabdelkader@gmail.com> writes:
>
> > Indeed, curl does the same thing:
> > https://curl.haxx.se/docs/CVE-2018-1000007.html
> >
> > But it seems to only strip the Authorization header if the redirect is
> on
> > another host:
> >
> > https://github.com/curl/curl/commit/af32cd3859336ab.patch
>
> Right.  But Thomas seems to imply in Bug#21350 that url.el will
> determine when doing the redirected call whether to include auth again,
> so if that new URL requires auth, then it'll be regenerated at that
> point.
>
> Is that not the case?
>
> --
> (domestic pets only, the antidote for overdose, milk.)
>    bloggy blog: http://lars.ingebrigtsen.no
>