永远不会发送身份验证到目标服务器
Authorization
、Cookie
和 Proxy-Authorization
标头未发送到服务器。
避免在部分导入的 URL 中包含用户信息。
正在研究在服务器上安全使用这些的安全模型。
Authorization
, Cookie
, and Proxy-Authorization
headers are not sent to the
server. Avoid including user info in parts of imported URLs. A security model
for safely using these on the server is being worked on.