From 9004f4e57c1e8db1f91d4d7bcabc29c46470e1cd Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 25 Nov 2022 09:29:50 +0100
Subject: [PATCH] Remove Authorization header upon cross-origin redirect

Tests: https://github.com/web-platform-tests/wpt/pull/37145.

Fixes #944.
---
 fetch.bs | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index dbf17712a..6312340f0 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -4974,11 +4974,10 @@ run these steps:
  <li><p>If <var>locationURL</var>'s <a for=url>scheme</a> is not an <a>HTTP(S) scheme</a>, then
  return a <a>network error</a>.
 
- <li><p>If <var>request</var>'s <a for=request>redirect count</a> is
- twenty, return a <a>network error</a>.
+ <li><p>If <var>request</var>'s <a for=request>redirect count</a> is 20, then return a
+ <a>network error</a>.
 
- <li><p>Increase <var>request</var>'s
- <a for=request>redirect count</a> by one.
+ <li><p>Increase <var>request</var>'s <a for=request>redirect count</a> by 1.
 
  <li><p>If <var>request</var>'s <a for=request>mode</a> is "<code>cors</code>",
  <var>locationURL</var> <a>includes credentials</a>, and <var>request</var>'s
@@ -5016,6 +5015,16 @@ run these steps:
    <a for=request>header list</a>.
   </ol>
 
+ <li>
+  <p>If <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a> is not
+  <a>same origin</a> with <var>locationURL</var>'s <a for=url>origin</a>, then
+  <a for=list>for each</a> <var>headerName</var> of <a>CORS non-wildcard request-header name</a>,
+  <a for="header list">delete</a> <var>headerName</var> from <var>request</var>'s
+  <a for=request>header list</a>.
+
+  <p class=note>I.e., the moment another origin is seen after the initial request, the
+  `<code>Authorization</code>` header is removed.
+
  <li>
   <p>If <var>request</var>'s <a for=request>body</a> is non-null, then set <var>request</var>'s
   <a for=request>body</a> to the <a for="body with type">body</a> of the result of