CURLOPT_PINNEDPUBLICKEY.md: does not apply for other origins

Clarify

Closes #21885

diff --git a/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.md b/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.md
index 82dd1626d140ee4c3c6a1a61a1b8eea3cab257d5..ed4011d57fa3f550aaab4c2840331bd528e93668 100644 (file)
--- a/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.md
+++ b/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.md
@@ -36,9 +36,9 @@ CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PINNEDPUBLICKEY,
 # DESCRIPTION
 
 Pass a pointer to a null-terminated string as parameter. The string can be the
-filename of your pinned public key. The file format expected is "PEM" or
-"DER". The string can also be any number of base64 encoded sha256 hashes
-preceded by "sha256//" and separated by ";"
+filename of your pinned public key. The file format expected is `PEM` or
+`DER`. The string can also be any number of base64 encoded sha256 hashes
+preceded by `sha256//` and separated by `;`.
 
 When negotiating a TLS or SSL connection, the server sends a certificate
 indicating its identity. A public key is extracted from this certificate and
@@ -53,6 +53,10 @@ On mismatch, *CURLE_SSL_PINNEDPUBKEYNOTMATCH* is returned.
 The application does not have to keep the string around after setting this
 option.
 
+The pinned public key is used to verify the initial origin used in a transfer.
+If the transfer is set to follow redirects to other origins, they are *not*
+checked against this key.
+
 This option has no effect on LDAP connections when libcurl uses the legacy LDAP
 backend. That backend manages TLS independently of curl's TLS layer. When
 libcurl is built with USE_OPENLDAP, the OpenLDAP backend routes TLS through