This is a tricky one, on the surface, security first, why would you want to do that?

But:

• There isn't a Spec / RFC enforcing it.
• Some single sign-on solutions even rely on it.

Request that do implement such a thing:

• https://github.com/request/request/blob/b12a624/lib/redirect.js#L134

So does curl (but only when using a http proxy?)

• https://github.com/curl/curl/blob/6beb0eee/lib/http.c#L710
• http://stackoverflow.com/questions/37865875/stopping-curl-from-sending-authorization-header-on-302-redirect

Either way, I am not rushing to fix this, but a heads-up if anyone is using node-fetch for authorisation.