From 4329a7e88c72079ae3eedbb1558b929851507464 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Wed, 5 Feb 2025 16:18:10 -0600
Subject: [PATCH] session: Strip authentication credentails on cross-origin
 redirect

This should match the behavior of Firefox and Safari but not of Chromium.
---
 libsoup/soup-session.c |  6 ++++
 tests/auth-test.c      | 77 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+)

diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
index dd3cdc46..82ca8bf9 100644
--- a/libsoup/soup-session.c
+++ b/libsoup/soup-session.c
@@ -1187,6 +1187,12 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg)
 						   SOUP_ENCODING_NONE);
 	}
 
+        /* Strip all credentials on cross-origin redirect. */
+        if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
+                soup_message_headers_remove (msg->request_headers, "Authorization");
+                soup_message_set_auth (msg, NULL);
+        }
+
 	soup_message_set_uri (msg, new_uri);
 	soup_uri_free (new_uri);
 
-- 
2.49.0