Do not remove AUTHORIZATION header

aiohttp/wsgi.py

@@ -66,9 +66,7 @@ def create_wsgi_environ(self, message, payload):
         script_name = self.SCRIPT_NAME
 
         for hdr_name, hdr_value in message.headers.items():
-            if hdr_name == 'AUTHORIZATION':
-                continue
-            elif hdr_name == 'SCRIPT_NAME':
+            if hdr_name == 'SCRIPT_NAME':
                 script_name = hdr_value
             elif hdr_name == 'CONTENT-TYPE':
                 environ['CONTENT_TYPE'] = hdr_value

tests/test_wsgi.py

@@ -258,14 +258,15 @@ def test_dont_unquote_environ_path_info(self):
         environ = self._make_one()
         self.assertEqual(environ['PATH_INFO'], path)
 
-    def test_not_add_authorization(self):
-        self.headers.extend({'AUTHORIZATION': 'spam',
-                             'X-CUSTOM-HEADER': 'eggs'})
+    def test_authorization(self):
+        # This header should be removed according to CGI/1.1 and WSGI but
+        # in our case basic auth is not handled by server, so should
+        # not be removed
+        self.headers.extend({'AUTHORIZATION': 'spam'})
         self.message = protocol.RawRequestMessage(
             'GET', '/', (1, 1), self.headers, True, 'deflate')
         environ = self._make_one()
-        self.assertEqual('eggs', environ['HTTP_X_CUSTOM_HEADER'])
-        self.assertFalse('AUTHORIZATION' in environ)
+        self.assertEqual('spam', environ['HTTP_AUTHORIZATION'])
 
     def test_http_1_0_no_host(self):
         headers = multidict.MultiDict({})