Add option to follow 301 and 302 redirection

[yujincheng08]

Fix #92

[yujincheng08]

Hi, RTSP follows HTTP which also sends Authorization header to redirected target.

[yujincheng08]

Change the option to max_redirect: u8 so that we can specify the maximum follows.

[yujincheng08]

@scottlamb Gentle ping

[yujincheng08]

@scottlamb Gentle ping

[yujincheng08]

@scottlamb Gentle ping

[scottlamb]

Hey, I know you've been waiting a long time on this. I'm uncomfortable though about the security implications of sending the credentials to another host.

Hi, RTSP follows HTTP which also sends Authorization header to redirected target.

Can you point me at where the spec mandates clients behave in that way? I can't find it, and I've read through the HTTP/1.1 spec (and specifically several versions of Authorization-related RFCs while writing http-auth) a fair bit.

Here's a stackoverflow thread on the subject, fwiw, and it suggests other clients have made the choice to remove credentials on redirect.

In your use case, are redirects happening to a different (scheme, host, port)? or is only the path changing?

I'd be less concerned about...

1. keeping the credentials only if the (scheme, host, port) remain constant, or
2. providing a "credential store" that can be queried on individual request, something like:

trait CredentialStore {
    fn get_credentials(url: &Url) -> Box<Future<Item = Result<Credentials, BoxError>>>
}