url
  https://victim.example/x
expected
  pwned
expected_url
  https://attacker.example/loot
headers
  Authorization: Bearer TRUSTED-TOKEN
----------
GET /x HTTP/1.1
Host: victim.example
Authorization: Bearer TRUSTED-TOKEN
Connection: close
User-Agent: HTTP-Tiny/VERSION

----------
HTTP/1.1 302 Found
Date: Thu, 03 Feb 1994 00:00:00 GMT
Content-Type: text/plain
Content-Length: 8
Location: //attacker.example/loot

redirect

----------
GET /loot HTTP/1.1
Host: attacker.example
Connection: close
User-Agent: HTTP-Tiny/VERSION

----------
HTTP/1.1 200 OK
Date: Thu, 03 Feb 1994 00:00:00 GMT
Content-Type: text/plain
Content-Length: 5

pwned

