Error on Removal of Authorization Headers on Redirect Follow

[ffimnsr]

This line causes incompatibility with curl and or any other rest client https://github.com/seanmonstar/reqwest/blob/ae2d5216649c9be04074e7ae2c37b129e8768470/src/async_impl/client.rs#L1996

Upon redirect it removes the authorization header if the referrer is not same as the URL. And it breaks some of the API endpoints that requires Authorization header.

Version

reqwest 0.11 rust 1.63.0

[ffimnsr]

I've debugged it and the problem with this is the cross_host with the condition checking ports. On some API endpoint which upgrades the transport protocol the previous provides port 80 (insecure) and the next provides port 443 (secure).

https://github.com/seanmonstar/reqwest/blob/c6eb2c4fcbc3934b119772e0997d91671ff68dc7/src/redirect.rs#L237

Check =>
Some(
    443,
)
Some(
    80,
)

[seanmonstar]

Do other tools not compare the ports? I honestly can't remember right now.

[ffimnsr]

I've checked on curl and postman they allow authorization headers on the endpoint I was checking. I'm not sure if they do compare the ports :/

[ffimnsr]

@seanmonstar upon checking on the python psf/requests library here is the code: https://github.com/psf/requests/blob/2a6f290bc09324406708a4d404a88a45d848ddf9/requests/sessions.py#L137

        # Special case: allow http -> https redirect when using the standard
        # ports. This isn't specified by RFC 7235, but is kept to avoid
        # breaking backwards compatibility with older versions of requests
        # that allowed any redirects on the same host.