Comment 1 for bug 2027993

It should be possible to address this with https://pkg.go.dev/net/http#Client.CheckRedirect. Should we drop the authorization headers unconditionally or only if the domain is not the original one?