Open thibmeu opened 1 month ago
@thibmeu Could you offer a brief overview of the background and the request here, as well as the suggested shape of the API? It'd be easier to follow the discussion if every participant in the discussion is aware of the relevant context.
Here is my summary, please correct me or add more details as necessary:
Cloudflare is developing an extension (Silk) that implements a challenge-response based HTTP scheme. While Manifest Version 2 extensions could detect the header values with webRequest.onHeadersReceived
, only Firefox supports async response handling. Chrome supported synchronous response handling in Manifest Version 2, but dropped that from Manifest Version 3, with the only webRequest.onAuthRequired
being capable of reacting asynchronously to responses. Coincidentally the requested capability fits naturally in the onAuthRequired API, so there is a request here to detect 401 WWW-Authenticate PrivateToken
responses and suspend the response handling until the extension has responded to it through the webRequest.onAuthRequired
API.
Additional reading:
Background
webRequest.onAuthRequired
is fired upon an authentication failure. Firefox defines this event as a response from the server with status code401
or407
. This means the origin server asks for credentials. Chrome has similar requirements.IETF recently published RFC 9577 defining
PrivateToken
authentication scheme. In this scheme, a server may request clients (browser) to provide a credential in the form of a PrivateToken. This seems well suited forwebRequest.onAuthRequired
, as it might require interaction from the end user, or storage access.Proposal
Update
webRequest.onAuthRequired
to supportPrivateToken
authentication scheme:Basic
authentication interceptionPrivateToken
interception, allow interception by browser extensionsPrivateToken
possibly requiring asynchronous operations (retrieving configuration from storage, fetching ), consider #490 as a dependency