From c4f847f85176991f95ab9c88af63b1294de8649b Mon Sep 17 00:00:00 2001
From: Ruben Verborgh <ruben@verborgh.org>
Date: Thu, 14 Mar 2024 17:36:10 +0100
Subject: [PATCH] Drop Proxy-Authorization across hosts.

---
 index.js     | 2 +-
 test/test.js | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/index.js b/index.js
index f58b933..c649cab 100644
--- a/index.js
+++ b/index.js
@@ -461,7 +461,7 @@ RedirectableRequest.prototype._processResponse = function (response) {
      redirectUrl.protocol !== "https:" ||
      redirectUrl.host !== currentHost &&
      !isSubdomain(redirectUrl.host, currentHost)) {
-    removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+    removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);
   }
 
   // Evaluate the beforeRedirect callback
diff --git a/test/test.js b/test/test.js
index 97e9653..8413192 100644
--- a/test/test.js
+++ b/test/test.js
@@ -1529,6 +1529,7 @@ describe("follow-redirects", function () {
 
   [
     "Authorization",
+    "Proxy-Authorization",
     "Cookie",
   ].forEach(function (header) {
     describe("when the client passes an header named " + header, function () {