Rob--W
commented
1 month ago @thibmeu Could you offer a brief overview of the background and the request here, as well as the suggested shape of the API? It'd be easier to follow the discussion if every participant in the discussion is aware of the relevant context.
Here is my summary, please correct me or add more details as necessary:
Cloudflare is developing an extension (Silk) that implements a challenge-response based HTTP scheme. While Manifest Version 2 extensions could detect the header values with webRequest.onHeadersReceived, only Firefox supports async response handling. Chrome supported synchronous response handling in Manifest Version 2, but dropped that from Manifest Version 3, with the only webRequest.onAuthRequired being capable of reacting asynchronously to responses. Coincidentally the requested capability fits naturally in the onAuthRequired API, so there is a request here to detect 401 WWW-Authenticate PrivateToken responses and suspend the response handling until the extension has responded to it through the webRequest.onAuthRequired API.
Additional reading:
Background
webRequest.onAuthRequiredis fired upon an authentication failure. Firefox defines this event as a response from the server with status code401or407. This means the origin server asks for credentials. Chrome has similar requirements.IETF recently published RFC 9577 defining
PrivateTokenauthentication scheme. In this scheme, a server may request clients (browser) to provide a credential in the form of a PrivateToken. This seems well suited forwebRequest.onAuthRequired, as it might require interaction from the end user, or storage access.Proposal
Update
webRequest.onAuthRequiredto supportPrivateTokenauthentication scheme:Basicauthentication interceptionPrivateTokeninterception, allow interception by browser extensionsPrivateTokenpossibly requiring asynchronous operations (retrieving configuration from storage, fetching ), consider #490 as a dependency