Remove `Authorization` header on redirects?

[shays10]

Hi,

We ran into an issue where we are:

1. Sending a call to a docker registry /v2/blobs/... backed by a S3 bucket. We're Getting a 302 response with a location to a pre-signed S3 bucket URL.
2. AHC tries to call the new location and fails. It propagates the original headers to the new request and S3 API doesn't like the fact that there's also an Authorization header for the docker registry.

The redirect is to a different domain, so I'm wondering, what's the preferred solution here?
A new flag where we can control stripping the Authorization headers? Any other solution would probably break existing behavior.

According to the code, it looks like we're always propagating the headers.

For more info, this is exactly the same issue as described here

[hyperxpro]

Would you like to do a PR?