urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly.

Users **must** handle redirects themselves instead of relying on urllib3's automatic redirects to achieve safe processing of the `Cookie` header, thus we decided to strip the header by default in order to further protect users who aren't using the correct approach.

## Affected usages

We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:

* Using an affected version of urllib3 (patched in v1.26.17 and v2.0.6)
* Using the `Cookie` header on requests, which is mostly typical for impersonating a browser.
* Not disabling HTTP redirects
* Either not using HTTPS or for the origin server to redirect to a malicious origin.

## Remediation

* Upgrading to at least urllib3 v1.26.17 or v2.0.6
* Disabling HTTP redirects using `redirects=False` when sending requests.
* Not using the `Cookie` header.