Hi Utkarsh, all
Is this even a vulnerability?
The problem is that authentication information is not stripped if the browser is redirected to another place.
If you trust a site enough to provide authentication data, I guess you also trust that if that site happens to be relocated you should also trust the new place.
I mean if the attacker has the power to redirect I expect that it has the power to read the authentication data anyway. There could be cases when this is not the case, but in general it should not be possible for the attacker to redirect without also having more power.
We could of course consider to apply this fix, but it certainly will cause a regression since my expectation is that authentication information is forwarded.
I think it should be ignored. If we fix it, it should be with a configuration option, but I think that is a little too intrusive for (E)LTS.
Or have I missed something?