Fixes after feedback

src/agent.rs

@@ -20,14 +20,16 @@ use {
 ///
 /// `Never` is the default strategy and never preserves `authorization` header in redirects.
 /// `SameHost` send the authorization header in redirects only if the host of the redirect is
-/// the same of the previous request, and both use the `https` scheme.
+/// the same of the previous request, and both use the same scheme (or switch to a more secure one, i.e
+/// we can redirect from `http` to `https`, but not the reverse).
 #[derive(Debug, Clone, PartialEq, Eq)]
 #[non_exhaustive]
 pub enum RedirectAuthHeaders {
     /// Never preserve the `authorization` header on redirect. This is the default.
     Never,
-    /// Preserve the `authorization` header when the redirect is to the same host. Must
+    /// Preserve the `authorization` header when the redirect is to the same host. Both hosts must use
-    /// be under the `https` scheme (though port can differ).
+    /// the same scheme (or switch to a more secure one, i.e we can redirect from `http` to `https`,
+    /// but not the reverse).
     SameHost,
 }
 

src/unit.rs

@@ -383,7 +383,10 @@ fn can_propagate_authorization_on_redirect(
             let prev_host = prev_url.host_str();
             let prev_is_https = scheme_is_https(prev_url);
 
-            host == prev_host && prev_is_https && is_https
+            let same_scheme_or_more_secure =
+                is_https == prev_is_https || (!prev_is_https && is_https);
+
+            host == prev_host && same_scheme_or_more_secure
         }
     }
 }