Failure to strip Proxy-Authorization header on change in origin

## Summary: Failure to strip Proxy-Authorization header on change in origin. AI was not used. I maintain the PHP Guzzle HTTP package which uses curl, and noticed we have the same issue as curl in this regard. I was made aware of this issue when golang patched something similar a few hours ago: CVE-2025–4673. ## Affected version 8.14.1 ## Steps To Reproduce: cURL appears to strip authorization and cookie, but not proxy-authorization. Send a request to a server that responds with a redirect to another host with all three headers set, and notice only the first two get stripped off the follow-up request. ## Supporting Material/References: [list any additional material (e.g. screenshots, logs, etc.)] * [attachment / reference] ## Impact ## Summary: Information from the proxy authorization header exposed to bad actor.