Do not include auth header when redirecting to other domain or when switching to insecure protocol

[jonesbusy]

Description

Do not send credentials to other demain. Also now S3 reject Authorization header when signature is passed throught URL

<Error>
  <Code>InvalidArgument</Code>
  <Message>Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified</Message>
</Error>

Testing done

Submitter checklist

• I have read and understood the CONTRIBUTING guide
• I have run mvn license:update-file-header, mvn spotless:apply, pre-commit run -a, mvn clean install before opening the PR

[codecov]

Codecov Report

Attention: Patch coverage is 92.30769% with 1 line in your changes missing coverage. Please review.

Project coverage is 88.00%. Comparing base (0161a89) to head (682edfa).
Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
src/main/java/land/oras/auth/HttpClient.java	92.30%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main     #334      +/-   ##
============================================
+ Coverage     87.91%   88.00%   +0.09%     
- Complexity      617      627      +10     
============================================
  Files            39       39              
  Lines          1886     1893       +7     
  Branches        208      211       +3     
============================================
+ Hits           1658     1666       +8     
  Misses          135      135              
+ Partials         93       92       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.