Strip auth headers when redirected to another host.

These are potentially private and we don't want to leak them to another
host, regardless of whether they're created by the calling application or
by the Authenticator.

okhttp-urlconnection/src/main/java/com/squareup/okhttp/internal/huc/HttpURLConnectionImpl.java

@@ -357,7 +357,7 @@ public class HttpURLConnectionImpl extends HttpURLConnection {
         throw new HttpRetryException("Cannot retry streamed HTTP body", responseCode);
       }
 
-      if (!httpEngine.sameConnection(followUp)) {
+      if (!httpEngine.sameConnection(followUp.url())) {
         httpEngine.releaseConnection();
       }