Drop additional headers on redirect (#12146)

(cherry picked from commit 6e8f393)

Author: Dreamsorcerer

aiohttp/client.py

@@ -893,6 +893,8 @@ async def _connect_and_send_request(
                         if url.origin() != redirect_origin:
                             auth = None
                             headers.pop(hdrs.AUTHORIZATION, None)
+                            headers.pop(hdrs.COOKIE, None)
+                            headers.pop(hdrs.PROXY_AUTHORIZATION, None)
 
                         url = parsed_redirect_url
                         params = {}

tests/test_client_functional.py

@@ -3445,6 +3445,8 @@ async def srv_from(request):
     async def srv_to(request):
         assert request.host == url_to.host
         assert "Authorization" not in request.headers, "Header wasn't dropped"
+        assert "Proxy-Authorization" not in request.headers
+        assert "Cookie" not in request.headers
         return web.Response()
 
     server_from = await create_server_for_url_and_handler(url_from, srv_from)
@@ -3487,11 +3489,16 @@ async def close(self):
         resp = await client.get(
             url_from,
             auth=aiohttp.BasicAuth("user", "pass"),
+            headers={"Proxy-Authorization": "Basic dXNlcjpwYXNz", "Cookie": "a=b"},
         )
         assert resp.status == 200
         resp = await client.get(
             url_from,
-            headers={"Authorization": "Basic dXNlcjpwYXNz"},
+            headers={
+                "Authorization": "Basic dXNlcjpwYXNz",
+                "Proxy-Authorization": "Basic dXNlcjpwYXNz",
+                "Cookie": "a=b",
+            },
         )
         assert resp.status == 200