On Tue, Dec 16, 2025 at 04:45:08AM +0100, Dick Hardt wrote: > On Tue, Dec 16, 2025 at 12:52 AM Nico Williams <[email protected]> > wrote: > > > I also think it was a mistake for HTTP to say that no headers may be > > copied from a redirect response to the redirected request. > > When / where was that?
Ay, I might have hallucinated that there is a stricture against it, but also user-agents normally don't copy any redirect response headers to the redirected requests, so in effect there is normally no way for a server to communicate with an IdP/token issuer over headers by way of the user-agent. Nico -- _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
