Credentials that are set with the add_credentials() method are not restricted to one domain. After authentication was required, the "authorization" header will remain being used in future requests.

This means that whenever the client goes off domain, the credentials will leak (even when a domain is set for the credentials)

::: To reproduce Run the script below and sniff the traffic (see below for a dump)

!/usr/bin/python2.6

import httplib2 h = httplib2.Http() h.add_credentials('name', 'password', 'uth.heinen.ws') resp, content = h.request("http://uth.heinen.ws?test=5&aa", "GET") print content

::: Possible fix In case of a redirect, but perhaps for every request, you can iterate over the authentication classes and force them to either add or to strip credentials from the request (e.g. 'authorization' header).

::: Traffic dump

GET /?test=5&aa HTTP/1.1 Host: uth.heinen.ws accept-encoding: gzip, deflate user-agent: Python-httplib2/0.7.2 (gzip)

HTTP/1.0 401 OK Server: Foo Connection: close Content-Type: text/html; charset=utf-8 Location: http://uth.heinen.ws/?test=5&step=2 WWW-Authenticate: Basic realm="TEST"

::: Request/response 2

GET /?test=5&aa HTTP/1.1 Host: uth.heinen.ws accept-encoding: gzip, deflate authorization: Basic bmFtZTpwYXNzd29yZA== user-agent: Python-httplib2/0.7.2 (gzip)

HTTP/1.0 301 OK Server: Foo Connection: close Content-Type: text/html; charset=utf-8 Location: http://69.60.119.186/?test=5&step=3

::: Request/response 3

:GET /?test=5&step=3 HTTP/1.1 Host: 69.60.119.186 accept-encoding: gzip, deflate authorization: Basic bmFtZTpwYXNzd29yZA== <--- should not be here user-agent: Python-httplib2/0.7.2 (gzip)

HTTP/1.0 303 OK Server: Foo Connection: close Content-Type: text/html; charset=utf-8 Location: http://uth.heinen.ws/?test=5&step=4

Hope this is clarifies the issue. Feel free to ping me for more information or additional testing. Niels

Fixed in http://code.google.com/p/httplib2/source/detail?r=f1e76fdb38ed4b9702b8b3ffadd3f4e2fb371b9d