Per T102566#1449713 and beyond, and T103043#1381527 and the reply...our current behavior of $followRedirects in MWHttpRequest and children is problematic and renders it basically useless. It's an all-or-none proposition, with no sorts of verifications along the way to make sure we're doing safe things.
We should do the following:
- Always allow redirects from HTTP -> HTTPS versions of the same URL (or domain?)
- Never allow redirects from HTTPS -> HTTP unless the URL (or domain?) matches.
- Remove the flag for enabling/disabling redirection after (1) and (2) are done.
Allowing us to always redirect in safe cases and never redirect in unsafe cases allows this to behave in a way that will actually make it useful and help things like HTTP -> HTTPS transitions much easier on our users.