- **assigned_to**: Daniel Stenberg
- **Comment**:

Well, it's not really clear how libcurl should act if you pass in a custom Authorization: header. The documentation says "it can continue to send authentication (user+password) credentials when following locations" but as far as it knows, it doesn't send any user+password.

Are you suggesting it should check custom headers and not send "Authorization:" to other sites if this option is set? To me it feels like perhaps stepping a little too far off from what that option is "allowed". After all, you set the custom headers yourself so you should be able to make sure you set the correct headers. Don't you think?

---
** [bugs:#1421] Custom Authorization is sent with CURLOPT_UNRESTRICTED_AUTH**
**Status:** open
**Labels:** Authorization CURLOPT_UNRESTRICTED_AUTH 
**Created:** Wed Sep 03, 2014 01:16 PM UTC by lietus
**Last Updated:** Wed Sep 03, 2014 01:16 PM UTC
**Owner:** Daniel Stenberg
Hi,
-----
Reproduce with:
Setup: 
    curl_easy_setopt (m_curl, CURLOPT_FOLLOWLOCATION, 1);
    curl_easy_setopt (m_curl, CURLOPT_UNRESTRICTED_AUTH, 0L);
    Authorization header set with CURLOPT_HTTPHEADER
Case: 
    HttpStatus Found with redirect to different host
Result: 
    Authorization header is sent to different host
Expected: 
    (fails) Authorization header is not sent when redirecting to different host
-----
This does not seem to be by design. We are using token based authorization, so curl API for setting USERNAME and PASSWORD authentication cannot be used.
Related code: 
http.c(717): result = output_auth_headers(conn, authhost, request, path, FALSE);
Thanks
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.