← Back to release summary

Remove Authorization header upon cross-origin redirect

Category

Network / Connectivity

Type

No developer-visible change

Status

Enabled by default (Chrome 119)

Intent stage

None

Summary

The Fetch standard has updated to remove Authorization header on cross origin redirects. Chrome should follow the spec change.

Standards & signals

• Specification: https://fetch.spec.whatwg.org/#http-redirect-fetch
• Firefox: In development
• Safari: Shipped/Shipping — Safari always removed Authorization headers even for the same origin redirects but the behavior has changed to preserve them on same origin redirects.
• Web developers: No signals
• Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1393520

View on chromestatus.com