Index: wget-1.21.1/src/http.c
===================================================================
--- wget-1.21.1.orig/src/http.c
+++ wget-1.21.1/src/http.c
@@ -3155,6 +3155,33 @@ fail:
 }
 #endif /* HAVE_METALINK */
 
+/*
+ * Check if the corresponding header line should not
+ * be sent after a redirect
+ */
+static inline int
+unredirectable_headerline(char *line)
+{
+    static struct {
+        size_t len;
+	char *name;
+    } field_name[] = {
+        { 14, "Authorization:" },
+	{ 7, "Cookie:" },
+	{ 0, NULL }
+    };
+    int i;
+
+    /*
+     * Note: According to RFC 2616, Field names are case-insensitive.
+     */
+    for (i = 0; field_name[i].name != NULL; i++)
+        if (strncasecmp(line, field_name[i].name, field_name[i].len) == 0)
+	    return 1;
+
+    return 0;
+}
+
 /* Retrieve a document through HTTP protocol.  It recognizes status
    code, and correctly handles redirections.  It closes the network
    socket.  If it receives an error from the functions below it, it
@@ -3167,7 +3194,7 @@ fail:
    server, and u->url will be requested.  */
 static uerr_t
 gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
-         int *dt, struct url *proxy, struct iri *iri, int count)
+         int *dt, struct url *proxy, struct iri *iri, int count, int location_changed)
 {
   struct request *req = NULL;
 
@@ -3314,7 +3341,16 @@ gethttp (const struct url *u, struct url
     {
       int i;
       for (i = 0; opt.user_headers[i]; i++)
-        request_set_user_header (req, opt.user_headers[i]);
+	{
+	 /*
+	  * IF we have been redirected
+	  * AND the user-supplied header line should NOT be sent to the new host
+	  * DO NOT append that header line
+	  */
+	 if (location_changed && unredirectable_headerline(opt.user_headers[i]))
+	   continue;
+	 request_set_user_header (req, opt.user_headers[i]);
+	}
     }
 
   proxyauth = NULL;
@@ -4232,7 +4268,7 @@ check_retry_on_http_error (const int sta
 uerr_t
 http_loop (const struct url *u, struct url *original_url, char **newloc,
            char **local_file, const char *referer, int *dt, struct url *proxy,
-           struct iri *iri)
+           struct iri *iri, int location_changed)
 {
   int count;
   bool got_head = false;         /* used for time-stamping and filename detection */
@@ -4424,7 +4460,7 @@ http_loop (const struct url *u, struct u
         *dt &= ~SEND_NOCACHE;
 
       /* Try fetching the document, or at least its head.  */
-      err = gethttp (u, original_url, &hstat, dt, proxy, iri, count);
+      err = gethttp (u, original_url, &hstat, dt, proxy, iri, count, location_changed);
 
       /* Time?  */
       tms = datetime_str (time (NULL));
Index: wget-1.21.1/src/http.h
===================================================================
--- wget-1.21.1.orig/src/http.h
+++ wget-1.21.1/src/http.h
@@ -36,7 +36,7 @@ as that of the covered work.  */
 struct url;
 
 uerr_t http_loop (const struct url *, struct url *, char **, char **, const char *,
-                  int *, struct url *, struct iri *);
+                  int *, struct url *, struct iri *, int);
 void save_cookies (void);
 void http_cleanup (void);
 time_t http_atotm (const char *);
Index: wget-1.21.1/src/retr.c
===================================================================
--- wget-1.21.1.orig/src/retr.c
+++ wget-1.21.1/src/retr.c
@@ -886,7 +886,7 @@ retrieve_url (struct url * orig_parsed,
 {
   uerr_t result;
   char *url;
-  bool location_changed;
+  bool location_changed = 0;
   bool iri_fallbacked = 0;
   int dummy;
   char *mynewloc, *proxy;
@@ -985,7 +985,7 @@ retrieve_url (struct url * orig_parsed,
 	}
 #endif
       result = http_loop (u, orig_parsed, &mynewloc, &local_file, refurl, dt,
-                          proxy_url, iri);
+                          proxy_url, iri, location_changed);
     }
   else if (u->scheme == SCHEME_FTP
 #ifdef HAVE_SSL