From eaa1d3b9a929476ea8e93710df95441cec3043fa Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 21 Nov 2022 17:27:44 +0100
Subject: [PATCH] Remove Authorization header upon cross-origin redirect

Tests: ...

Fixes #944.
---
 fetch.bs | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index faefce048..0e555d17c 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -4934,11 +4934,10 @@ run these steps:
  <li><p>If <var>locationURL</var>'s <a for=url>scheme</a> is not an <a>HTTP(S) scheme</a>, then
  return a <a>network error</a>.
 
- <li><p>If <var>request</var>'s <a for=request>redirect count</a> is
- twenty, return a <a>network error</a>.
+ <li><p>If <var>request</var>'s <a for=request>redirect count</a> is 20, then return a
+ <a>network error</a>.
 
- <li><p>Increase <var>request</var>'s
- <a for=request>redirect count</a> by one.
+ <li><p>Increase <var>request</var>'s <a for=request>redirect count</a> by 1.
 
  <li><p>If <var>request</var>'s <a for=request>mode</a> is "<code>cors</code>",
  <var>locationURL</var> <a>includes credentials</a>, and <var>request</var>'s
@@ -4976,6 +4975,16 @@ run these steps:
    <a for=request>header list</a>.
   </ol>
 
+ <li>
+  <p>If <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a> is not
+  <a>same origin</a> with <var>locationURL</var>'s <a for=url>origin</a>, then
+  <a for=list>for each</a> <var>headerName</var> of <a>CORS non-wildcard request-header name</a>,
+  <a for="header list">delete</a> <var>headerName</var> from <var>request</var>'s
+  <a for=request>header list</a>.
+
+  <p class=note>I.e., the moment another origin is seen after the initial request, the
+  `<code>Authorization</code>` header is removed.
+
  <li>
   <p>If <var>request</var>'s <a for=request>body</a> is non-null, then set <var>request</var>'s
   <a for=request>body</a> to the <a for="body with type">body</a> of the result of