From 66ef2966178b03bd68e78e228c896ad558a0b203 Mon Sep 17 00:00:00 2001
From: David Varga <d.varga@instructure.com>
Date: Thu, 14 Aug 2025 15:53:18 +0200
Subject: [PATCH] Exclude Authorization header on cors redirects

---
 lib/httparty/request.rb       |  1 +
 spec/httparty/request_spec.rb | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/lib/httparty/request.rb b/lib/httparty/request.rb
index 36b7d357..8809590e 100644
--- a/lib/httparty/request.rb
+++ b/lib/httparty/request.rb
@@ -228,6 +228,7 @@ def query_string_normalizer
     def setup_raw_request
       if options[:headers].respond_to?(:to_hash)
         headers_hash = options[:headers].to_hash
+        headers_hash.delete('Authorization') if !send_authorization_header?
       else
         headers_hash = nil
       end
diff --git a/spec/httparty/request_spec.rb b/spec/httparty/request_spec.rb
index 638447b3..1c1d1a37 100644
--- a/spec/httparty/request_spec.rb
+++ b/spec/httparty/request_spec.rb
@@ -1384,6 +1384,25 @@
         end
       end
     end
+
+    context "when redirecting to a different host" do
+      before do
+        @redirect = stub_response("", 302)
+        @ok = stub_response('<hash><foo>bar</foo></hash>', 200)
+        @request.options[:headers] = {'Authorization' => 'Bearer xyz'}
+      end
+
+      before(:each) do
+        allow(@http).to receive(:request).and_return(@redirect, @ok)
+      end
+
+      it "should not send Authorization header" do
+        @redirect['location'] = 'http://example.com/v1'
+        @request.perform
+        @request.send(:setup_raw_request)
+        expect(@request.instance_variable_get(:@raw_request)['authorization']).to be_nil
+      end
+    end
   end
 
   context "with POST http method" do