Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: Support PrivateToken authentication scheme on webRequest.onAuthRequired #662

Open
thibmeu opened this issue Jul 24, 2024 · 1 comment
Open

Proposal: Support PrivateToken authentication scheme on webRequest.onAuthRequired #662

thibmeu opened this issue Jul 24, 2024 · 1 comment
Labels
needs-triage: chrome Chrome needs to assess this issue for the first time needs-triage: firefox Firefox needs to assess this issue for the first time neutral: safari Not opposed or supportive from Safari

Comments

@thibmeu
Copy link

thibmeu commented Jul 24, 2024

Background

webRequest.onAuthRequired is fired upon an authentication failure. Firefox defines this event as a response from the server with status code 401 or 407. This means the origin server asks for credentials. Chrome has similar requirements.

IETF recently published RFC 9577 defining PrivateToken authentication scheme. In this scheme, a server may request clients (browser) to provide a credential in the form of a PrivateToken. This seems well suited for webRequest.onAuthRequired, as it might require interaction from the end user, or storage access.

// In Chrome: use chrome. instead of browser.
browser.webRequest.onAuthRequired.addListener(
  function (details) {
    return { /* BlockingResponse here*/ };
  },
  { urls: ["*://example.com/*"] },
  ["blocking"]
);

Proposal

Update webRequest.onAuthRequired to support PrivateToken authentication scheme:
@github-actions github-actions bot added needs-triage: chrome Chrome needs to assess this issue for the first time needs-triage: firefox Firefox needs to assess this issue for the first time needs-triage: safari Safari needs to assess this issue for the first time labels Jul 24, 2024
@dotproto dotproto mentioned this issue Aug 1, 2024
Closed
@xeenon xeenon added neutral: safari Not opposed or supportive from Safari and removed needs-triage: safari Safari needs to assess this issue for the first time labels Aug 1, 2024
@Rob--W Rob--W mentioned this issue Aug 1, 2024
Merged
@Rob--W
Copy link
Member

Rob--W commented Aug 1, 2024

@thibmeu Could you offer a brief overview of the background and the request here, as well as the suggested shape of the API? It'd be easier to follow the discussion if every participant in the discussion is aware of the relevant context.

Here is my summary, please correct me or add more details as necessary:

Cloudflare is developing an extension (Silk) that implements a challenge-response based HTTP scheme. While Manifest Version 2 extensions could detect the header values with webRequest.onHeadersReceived, only Firefox supports async response handling. Chrome supported synchronous response handling in Manifest Version 2, but dropped that from Manifest Version 3, with the only webRequest.onAuthRequired being capable of reacting asynchronously to responses. Coincidentally the requested capability fits naturally in the onAuthRequired API, so there is a request here to detect 401 WWW-Authenticate PrivateToken responses and suspend the response handling until the extension has responded to it through the webRequest.onAuthRequired API.

Additional reading:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-triage: chrome Chrome needs to assess this issue for the first time needs-triage: firefox Firefox needs to assess this issue for the first time neutral: safari Not opposed or supportive from Safari
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xeenon @Rob--W @thibmeu