go is vulnerable to Sensitive Information Disclosure. The vulnerability is due to the client not forwarding sensitive headers such as “Authorization” or “Cookie” when following an HTTP redirect to a domain that is not a subdomain match or exact match of the initial domain.