This patch adds a new function that checks if a response was a redirect
for an a request and removes the Authorization header that we usually
send if it is not one of our trusted hosts. This prevents authorization
keys from going to insecure places. This is similar logic that exists in
the moby registry code[0].
Additionally improves the cachability of blobs from docker.io because
they are redirects to files that exist on a CDN that doesn't actually
require authentication. The upstream CI registry caching system doesn't
cache any requests with the Authorization header per the apache cache
documentation[1].
[0] a072d726c7/registry/registry.go (L140-L174)
[1] https://httpd.apache.org/docs/2.4/caching.html
Change-Id: I415eec5d307ac73456aa556db9d61ceac1eaa565
Partial-Bug: #1889122