Adding redirectLocationTrusted option to retain authorization header on redirect domain change

[gareth-robinson]

PR Checklist:

• [Y] I have run npm test locally and all tests are passing.
• [Y] I have added/updated tests for any new behavior.
  • new tests added into tests/test-redirect-auth.js
• [Y] If this is a significant change, an issue has already been created where the problem / solution was discussed:
  • Not a significant change, but has been mentioned a few times in the issues:
    • Add an option to whether to keep authorization header on redirection #2606
    • Removal of Authorization header is surprising #2278

PR Description

If a redirect location has a different domain than the original request (excluding port and protocol changes) then any authorization header is removed from the request. This is currently a deliberate choice in the code, to do the same as curl (for security reasons), as per this comment: https://github.com/request/request/blob/master/lib/redirect.js#L134

Curl does have an option --location-trusted for overriding that behaviour though: (https://curl.haxx.se/docs/manpage.html#--location-trusted) so this pull request is to add an equivalent option redirectLocationTrusted to request. If not supplied this option defaults to false, keeping the original behaviour.

In this change I've kept redirectLocationTrusted as the simple boolean that curl has. It could be overloaded for finer grained options (e.g. a domain matching regex) if it was felt that would be of more value.

[gareth-robinson]

Bleurgh, it worked locally with node 6.12 :( but travis CI is failing. Will investigate.

[gareth-robinson]

Raised #2877 to discuss fixing the Travis CI issues

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.