docs: add description of effect of --location-trusted on cookie

Closes #14471

diff --git a/docs/cmdline-opts/location-trusted.md b/docs/cmdline-opts/location-trusted.md
index edbd0b5395253481355ce058186ff667afbe461c..06458a467879a5353779b6e6aaaaa42a3003caf3 100644 (file)
--- a/docs/cmdline-opts/location-trusted.md
+++ b/docs/cmdline-opts/location-trusted.md
@@ -2,7 +2,7 @@
 c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 SPDX-License-Identifier: curl
 Long: location-trusted
-Help: As --location, but send auth to other hosts
+Help: As --location, but send secrets to other hosts
 Protocols: HTTP
 Category: http auth
 Added: 7.10.4
@@ -11,11 +11,16 @@ See-also:
   - user
 Example:
   - --location-trusted -u user:password $URL
+  - --location-trusted -H "Cookie: session=abc" $URL
 ---
 
 # `--location-trusted`
 
-Like --location, but allows sending the name + password to all hosts that the
-site may redirect to. This may or may not introduce a security breach if the
-site redirects you to a site to which you send your authentication info (which
-is clear-text in the case of HTTP Basic authentication).
+Instructs curl to like --location follow HTTP redirects, but permits it to
+send credentials and other secrets along to other hosts than the initial one.
+
+This may or may not introduce a security breach if the site redirects you to a
+site to which you send this sensitive data to. Another host means that one or
+more of hostname, protocol scheme or port number changed.
+
+This option also allows curl to pass long cookies set explicitly with --header.

diff --git a/docs/cmdline-opts/location.md b/docs/cmdline-opts/location.md
index 5a9e6ed92e4b50d99337c830e9007b8d619ee11d..57b24ae4057ffb6769ed43925980b99a864a5539 100644 (file)
--- a/docs/cmdline-opts/location.md
+++ b/docs/cmdline-opts/location.md
@@ -22,9 +22,10 @@ location (indicated with a Location: header and a 3XX response code), this
 option makes curl redo the request on the new place. If used together with
 --show-headers or --head, headers from all requested pages are shown.
 
-When authentication is used, curl only sends its credentials to the initial
-host. If a redirect takes curl to a different host, it does not get the
-user+password pass on. See also --location-trusted on how to change this.
+When authentication is used, or send cookie with `-H Cookie:`, curl only sends
+its credentials to the initial host. If a redirect takes curl to a different
+host, it does not get the credentials pass on. See also--location-trusted on
+how to change this.
 
 Limit the amount of redirects to follow by using the --max-redirs option.
 

diff --git a/src/tool_listhelp.c b/src/tool_listhelp.c
index 43635c22e0abac101dbba9423f656c0840e0e0f2..fa29a51c1f28bb4fee0ac8469acc5d1a6630c68a 100644 (file)
--- a/src/tool_listhelp.c
+++ b/src/tool_listhelp.c
@@ -357,7 +357,7 @@ const struct helptxt helptext[] = {
    "Follow redirects",
    CURLHELP_HTTP},
   {"    --location-trusted",
-   "As --location, but send auth to other hosts",
+   "As --location, but send secrets to other hosts",
    CURLHELP_HTTP | CURLHELP_AUTH},
   {"    --login-options <options>",
    "Server login options",