The Go project reports:
crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
A certificate with a URI which has a IPv6 address with a
zone ID may incorrectly satisfy a URI name constraint that
applies to the certificate chain.
net/http: sensitive headers incorrectly sent after cross-domain redirect
The HTTP client drops sensitive headers after following a
cross-domain redirect. For example, a request to a.com/
containing an Authorization header which is redirected to
b.com/ will not send that header to b.com.