Possible issue with dropping headers on redirect

[inventionlabsSydney]

🐞 Summary
We're experiencing this issue and have isolated it to headers (in particular Authorization) being reset when redirected by the server (we're using aiohttp as a client).

💡 To Reproduce

Take the following for example:

kwargs = {"headers": {"Authorization": "Token BlahBah"}, "raise_for_status": True}
async with aiohttp.ClientSession(**kwargs) as session:
    breakpoint()
    async with session.get("<some_secure_url_that_redirects") as resp:
       breakpoint()
       await resp.json()

In the following example we set the headers on instantiation of ClientSession, we can verify this via breakpoint 1 and looking at session._default_headers which will give us <CIMultiDict('Authorization': 'Token BlahBah')>

once past this, the session performs the get request, the payload is sent with headers and the server responds 301 or 302.
The client then chooses to follow the redirect but it appears aiohttp is intentionally dropping the authorization header (see here: https://github.com/aio-libs/aiohttp/blob/master/aiohttp/client.py#L539)

This in turn raises a 401 Unauthorised response.

💡 Expected behavior
I would expect that the headers remain intact when redirecting.

📋 Logs/tracebacks
N/A

📋 Your version of the Python

$ python --version
3.8.1

📋 Your version of the aiohttp/yarl/multidict distributions

$ python -m pip show aiohttp
aiohttp==3.6.2

$ python -m pip show multidict
multidict==4.7.4

$ python -m pip show yarl
yarl==1.4.2

📋 Additional context
Using aiohttp as client, communicating with flask fleet.

[webknjaz]

This happens when origin happens due to security reasons. aiohttp cannot know if the other server is safe. You'll have to disable redirects and follow them manually, verifying that the next host is safe.