Provided by: libcurl4-doc_8.11.0-1ubuntu2_all bug

NAME
       CURLOPT_UNRESTRICTED_AUTH - send credentials to other hosts too


SYNOPSIS
       #include <curl/curl.h>

       CURLcode curl_easy_setopt(CURL *handle, CURLOPT_UNRESTRICTED_AUTH,
                                 long goahead);


DESCRIPTION
       Set  the  long  gohead  parameter  to  1L  to make libcurl continue to send authentication
       (user+password) credentials or explicitly set cookie  headers  when  following  locations,
       even   when   the   host   changes.   This   option   is   meaningful  only  when  setting
       CURLOPT_FOLLOWLOCATION(3).

       Further, when this option is not used or set to 0L,  libcurl  does  not  send  custom  nor
       internally  generated  Authentication:  or Cookie: headers on requests done to other hosts
       than the one used for the initial URL. Another host means that one or  more  of  hostname,
       protocol scheme or port number changed.

       By  default,  libcurl  only sends Authentication: or explicitly set Cookie: headers to the
       initial host as given in the original URL, to avoid leaking username + password  to  other
       sites.

       This  option  should  be used with caution: when curl follows redirects it blindly fetches
       the next URL as instructed by the server. Setting CURLOPT_UNRESTRICTED_AUTH(3) to 1L makes
       curl  trust  the  server  and  sends possibly sensitive credentials to any host the server
       points to, possibly again and again as the following hosts can  keep  redirecting  to  new
       hosts.

       Due  to the way HTTP works, almost any header can be made to contain data a client may not
       want to pass on to other servers than the  initially  intended  host  and  for  all  other
       headers  than  the  two  mentioned  above, there is no protection from this happening when
       libcurl is told to follow redirects.


DEFAULT
       0


PROTOCOLS
       This functionality affects http only


EXAMPLE
       int main(void)
       {
         CURL *curl = curl_easy_init();
         if(curl) {
           curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
           curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L);
           curl_easy_setopt(curl, CURLOPT_UNRESTRICTED_AUTH, 1L);
           curl_easy_perform(curl);
         }
       }


AVAILABILITY
       Added in curl 7.10.4


RETURN VALUE
       Returns CURLE_OK if HTTP is supported, and CURLE_UNKNOWN_OPTION if not.


SEE ALSO
       CURLINFO_REDIRECT_COUNT(3),        CURLOPT_FOLLOWLOCATION(3),        CURLOPT_MAXREDIRS(3),
       CURLOPT_REDIR_PROTOCOLS_STR(3), CURLOPT_USERPWD(3)