Add-ons

webRequest.onAuthRequired

Fired when the server sends a 401 or 407 status code: that is, when the server is asking the client to provide authentication credentials such as a username and password.

The listener can respond in one of four different ways:

Take no action: the listener can do nothing, just observing the request. If this happens, it will have no effect on the handling of the request, and the browser will probably just ask the user to log in.

Cancel the request: the listener can cancel the request. If they do this, then authentication will fail, and the user will not be asked to log in. Extensions can cancel requests as follows:

  • in addListener, pass "blocking" in the extraInfoSpec parameter
  • in the listener itself, return an object with a cancel property set to true

Provide credentials synchronously: if credentials are available synchronously, the extension can supply them synchronously. If the extension does this, then the browser will attempt to log in with the given credentials. The listener can provide credentials synchronously as follows:

  • in addListener, pass "blocking" in the extraInfoSpec parameter
  • in the listener, return an object with an authCredentials property set to the credentials to supply

Provide credentials asynchronously: the extension might need to fetch credentials asynchronously. For example, the extension might need to fetch credentials from storage, or ask the user. In this case, the listener can supply credentials asynchronously as follows:

  • in addListener, pass "blocking" in the extraInfoSpec parameter
  • in the listener, return a Promise that is resolved with an object containing an authCredentials property, set to the credentials to supply

See Examples.

If you use "blocking" you must have the "webRequestBlocking" API permission in your manifest.json.

If your extension provides bad credentials, then the listener will be called again. For this reason, take care not to enter an infinite loop by repeatedly providing bad credentials.

Syntax

browser.webRequest.onAuthRequired.addListener(
  listener,                    // function
  filter,                      //  object
  extraInfoSpec                //  optional array of strings
)
browser.webRequest.onAuthRequired.removeListener(listener)
browser.webRequest.onAuthRequired.hasListener(listener)

Events have three functions:

addListener(callback, filter, extraInfoSpec)
Adds a listener to this event.
removeListener(listener)
Stop listening to this event. The listener argument is the listener to remove.
hasListener(listener)
Check whether listener is registered for this event. Returns true if it is listening, false otherwise.

addListener syntax

Parameters

callback

A function that will be called when this event occurs. The function will be passed the following arguments:

details
object. Details about the request. See details below.

Returns: webRequest.BlockingResponse or a Promise.

  • To handle the request synchronously, include "blocking" in the extraInfoSpec parameter and return a BlockingResponse object, with its cancel or its authCredentials properties set.
  • To handle the request asynchronously, include "blocking" in the extraInfoSpec parameter and return a Promise that is resolved with a  BlockingResponse object, with its cancel or its authCredentials properties set.
filter
webRequest.RequestFilter. A filter that restricts the events that will be sent to this listener.
extraInfoSpecOptional
array of string. Extra options for the event. You can pass any of the following values:
  • "blocking": make the request block, so you can cancel the request or supply authentication credentials
  • "responseHeaders": include responseHeaders in the details object passed to the listener

Additional objects

details

challenger
object. The server requesting authentication. This is an object with the following properties:
host
string. The server's hostname.
Warning: Unlike chrome, Firefox will return the requested host instead of the proxy requesting the authentication, even if isProxy is true.
port
integer. The server's port number.
frameId
integer. Zero if the request happens in the main frame; a positive value is the ID of a subframe in which the request happens. If the document of a (sub-)frame is loaded (type is main_frame or sub_frame), frameId indicates the ID of this frame, not the ID of the outer frame. Frame IDs are unique within a tab.
isProxy
boolean. true for Proxy-Authenticate, false for WWW-Authenticate. Note: webRequest.onAuthRequired is only called for HTTP and HTTPS/SSL proxy servers requiring authentication, and not for SOCKS proxy servers requiring authentication.
method
string. Standard HTTP method: for example, "GET" or "POST".
parentFrameId
integer. ID of the frame that contains the frame which sent the request. Set to -1 if no parent frame exists.
proxyInfo

object. This property is present only if the request is being proxied. It contains the following properties:

host
string. The hostname of the proxy server.
port
integer. The port number of the proxy server.
type

string. The type of proxy server. One of:

  • "http": HTTP proxy (or SSL CONNECT for HTTPS)
  • "https": HTTP proxying over TLS connection to proxy
  • "socks": SOCKS v5 proxy
  • "socks4": SOCKS v4 proxy
  • "direct": no proxy
  • "unknown": unknown proxy
username
string. Username for the proxy service.
proxyDNS
boolean. True if the proxy will perform domain name resolution based on the hostname supplied, meaning that the client should not do its own DNS lookup.
failoverTimeout
integer. Failover timeout in seconds. If the connection fails to connect the proxy server after this number of seconds, the next proxy server in the array returned from FindProxyForURL() will be used.
realmOptional
string. The authentication realm provided by the server, if there is one.
requestId
string. The ID of the request. Request IDs are unique within a browser session, so you can use them to relate different events associated with the same request.
responseHeadersOptional
webRequest.HttpHeaders. The HTTP response headers that were received along with this response.
scheme
string. The authentication scheme: "basic" or "digest".
statusCode
integer. Standard HTTP status code returned by the server.
statusLine
string. HTTP status line of the response or the 'HTTP/0.9 200 OK' string for HTTP/0.9 responses (i.e., responses that lack a status line) or an empty string if there are no headers.
tabId
integer. ID of the tab in which the request takes place. Set to -1 if the request isn't related to a tab.
timeStamp
number. The time when this event fired, in milliseconds since the epoch.
type
webRequest.ResourceType. The type of resource being requested: for example, "image", "script", "stylesheet".
url
string. Target of the request.

Browser compatibility

ChromeEdgeFirefoxFirefox for AndroidOpera
Basic Support (Yes) (Yes)541541 (Yes)
asyncBlocking (Yes) (Yes) No No (Yes)
details.challenger (Yes) (Yes)542542 (Yes)
details.frameId (Yes) (Yes)5454 (Yes)
details.isProxy (Yes) (Yes)5454 (Yes)
details.method (Yes) (Yes)5454 (Yes)
details.parentFrameId (Yes) (Yes)5454 (Yes)
details.proxyInfo No No5757 No
details.realm (Yes) (Yes)5454 (Yes)
details.requestId (Yes) (Yes)5454 (Yes)
details.responseHeaders (Yes) (Yes)5454 (Yes)
details.scheme (Yes) (Yes)5454 (Yes)
details.statusCode (Yes) (Yes)5454 (Yes)
details.statusLine (Yes) (Yes)5454 (Yes)
details.tabId (Yes) (Yes)5454 (Yes)
details.timeStamp (Yes) (Yes)5454 (Yes)
details.type (Yes) (Yes)5454 (Yes)

1. To handle a request asynchronously, return a Promise from the listener.

2. Before version 57, when authenticating to a proxy server, the challenger.host property contains the hostname for the requested URL rather than the hostname for the proxy.

Examples

This code just observes authentication requests for the target URL:

var target = "https://intranet.company.com/";

function observe(requestDetails) {
  console.log("observing: " + requestDetails.requestId);
}

browser.webRequest.onAuthRequired.addListener(
  observe,
  {urls: [target]}
);

This code cancels authentication requests for the target URL:

var target = "https://intranet.company.com/";

function cancel(requestDetails) {
  console.log("canceling: " + requestDetails.requestId);
  return {cancel: true};
}

browser.webRequest.onAuthRequired.addListener(
  cancel,
  {urls: [target]},
  ["blocking"]
);

This code supplies credentials synchronously. It has to keep track of outstanding requests, to ensure that it doesn't repeatedly try to submit bad credentials:

var target = "https://intranet.company.com/";

var myCredentials = {
  username: "me@company.com",
  password: "zDR$ERHGDFy"
}

var pendingRequests = [];

// A request has completed.
// We can stop worrying about it.
function completed(requestDetails) {
  console.log("completed: " + requestDetails.requestId);
  var index = pendingRequests.indexOf(requestDetails.requestId);
  if (index > -1) {
    pendingRequests.splice(index, 1);
  }
}

function provideCredentialsSync(requestDetails) {
  // If we have seen this request before, then
  // assume our credentials were bad, and give up.
  if (pendingRequests.indexOf(requestDetails.requestId) != -1) {
    console.log("bad credentials for: " + requestDetails.requestId);
    return {cancel:true};
  }
  pendingRequests.push(requestDetails.requestId);
  console.log("providing credentials for: " + requestDetails.requestId);
  return {authCredentials: myCredentials};
}

browser.webRequest.onAuthRequired.addListener(
    provideCredentialsSync,
    {urls: [target]},
    ["blocking"]
  );

browser.webRequest.onCompleted.addListener(
  completed,
  {urls: [target]}
);

browser.webRequest.onErrorOccurred.addListener(
  completed,
  {urls: [target]}
);

This code supplies credentials asynchronously, fetching them from storage. It also has to keep track of outstanding requests, to ensure that it doesn't repeatedly try to submit bad credentials:

var target = "https://httpbin.org/basic-auth/*";

var pendingRequests = [];

/*
A request has completed. We can stop worrying about it.
*/
function completed(requestDetails) {
  console.log("completed: " + requestDetails.requestId);
  var index = pendingRequests.indexOf(requestDetails.requestId);
  if (index > -1) {
    pendingRequests.splice(index, 1);
  }
}

function provideCredentialsAsync(requestDetails) {
  // If we have seen this request before,
  // then assume our credentials were bad,
  // and give up.
  if (pendingRequests.indexOf(requestDetails.requestId) != -1) {
    console.log("bad credentials for: " + requestDetails.requestId);
    return {cancel: true};
    
  } else {
    pendingRequests.push(requestDetails.requestId);
    console.log("providing credentials for: " + requestDetails.requestId);
    // we can return a promise that will be resolved
    // with the stored credentials
    return browser.storage.local.get(null);
  }
}

browser.webRequest.onAuthRequired.addListener(
    provideCredentialsAsync,
    {urls: [target]},
    ["blocking"]
  );

browser.webRequest.onCompleted.addListener(
  completed,
  {urls: [target]}
);

browser.webRequest.onErrorOccurred.addListener(
  completed,
  {urls: [target]}
);

Example extensions

Acknowledgements

This API is based on Chromium's chrome.webRequest API. This documentation is derived from web_request.json in the Chromium code.

Microsoft Edge compatibility data is supplied by Microsoft Corporation and is included here under the Creative Commons Attribution 3.0 United States License.

Document Tags and Contributors

 Last updated by: ericjung,