Swift3 before 1.9 allows remote attackers to conduct replay attacks via an Authorization request that lacks a Date header.