mdn · rebloor · Dec 11, 2023 · Nov 10, 2023 · Nov 15, 2023 · Nov 15, 2023
@@ -7,44 +7,50 @@ browser-compat: webextensions.api.webRequest.onAuthRequired
 
 {{AddonSidebar()}}
 
-Fired when the server sends a `401` or `407` status code and a `WWW-Authenticate` header using the `Basic` scheme (that is, when the server is asking the client to provide authentication credentials, such as a username and password).
+Fired when the server sends a `401` or `407` status code and a `WWW-Authenticate` header using the `Basic` scheme (that is, when the server asks the client to provide authentication credentials, such as a username and password).
 
-The listener can respond in one of four different ways:
+The listener can respond in one of four ways:
 
 - Take no action
-  - : The listener can do nothing, just observing the request. If this happens, it will have no effect on the handling of the request, and the browser will probably just ask the user to log in.
+  - : The listener can do nothing, just observing the request. If this happens, it does not affect the handling of the request, and the browser asks the user to log in, if appropriate.
 - Cancel the request
 
-  - : The listener can cancel the request. If they do this, then authentication will fail, and the user will not be asked to log in. Extensions can cancel requests as follows:
+  - : The listener can cancel the request. If it does this, authentication fails, and the user is not asked to log in. Extensions can cancel requests as follows:
 
     - in addListener, pass `"blocking"` in the `extraInfoSpec` parameter
-    - in the listener itself, return an object with a `cancel` property set to `true`
+    - in the listener, return an object with a `cancel` property set to `true`
 
 - Provide credentials synchronously
 
-  - : If credentials are available synchronously, the extension can supply them synchronously. If the extension does this, then the browser will attempt to log in with the given credentials. The listener can provide credentials synchronously as follows:
+  - : If credentials are available synchronously, the extension can supply them synchronously. If the extension does this, the browser attempts to log in with the credentials. The listener can provide credentials synchronously as follows:
 
     - in addListener, pass `"blocking"` in the `extraInfoSpec` parameter
     - in the listener, return an object with an `authCredentials` property set to the credentials to supply
 
 - Provide credentials asynchronously
 
-  - : The extension might need to fetch credentials asynchronously. For example, the extension might need to fetch credentials from storage, or ask the user. In this case, the listener can supply credentials asynchronously as follows:
+  - : The extension might need to fetch credentials asynchronously. For example, the extension might need to fetch credentials from storage or ask the user. In this case, the listener can supply credentials asynchronously as follows:
 
     - in addListener, pass `"blocking"` in the `extraInfoSpec` parameter
-    - in the listener, return a `Promise` that is resolved with an object containing an `authCredentials` property, set to the credentials to supply
+    - in the listener, return a `Promise` that resolves with an object containing an `authCredentials` property, set to the credentials to supply
 
 See [Examples](#examples).
 
-If you use `"blocking"` you must have the ["webRequestBlocking" API permission](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#api_permissions) in your `manifest.json`.
+If your extension provides bad credentials, then the listener is called again. For this reason, take care to avoid entering an infinite loop by repeatedly providing bad credentials.
 
-If your extension provides bad credentials, then the listener will be called again. For this reason, take care not to enter an infinite loop by repeatedly providing bad credentials.
+## Permissions
+
+In Firefox and Chrome Manifest V2 extensions, you must add the [`"webRequest"` and `"webRequestBlocking"` API permissions](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#api_permissions) to your `manifest.json`.
+
+For Chrome Manifest V3 extensions, the `"webRequestBlocking"` permission is no longer available (except for policy-installed extensions). Instead, the `"webRequest"` and `"webRequestAuthProvider"` permissions enable you to supply credentials asynchronously.
+
+> **Note:** Firefox does not support `"webRequestAuthProvider"`, but support is planned. See [bug 1820569](https://bugzilla.mozilla.org/show_bug.cgi?id=1820569).
 
 ## Proxy authorization
 
-In general, Firefox does not fire `webRequest` events for system requests, such as browser or extension upgrades, or search engine queries. To enable proxy authorization to work smoothly for system requests, from version 57 Firefox implements an exception to this.
+Firefox does not generally fire `webRequest` events for system requests, such as browser or extension upgrades or search engine queries. To enable proxy authorization to work smoothly for system requests, from version 57, Firefox supports an exception to this.
 
-If an extension has the `"webRequest"`, `"webRequestBlocking"`, `"proxy"`, and `"<all_urls>"` permissions, then it will be able to use `onAuthRequired` to supply credentials for proxy authorization (but not for normal web authorization). The listener will not be able to cancel system requests or make any other modifications to any system requests.
+If an extension has the `"webRequest"`, `"webRequestBlocking"`, `"proxy"`, and `"<all_urls>"` permissions, then it can use `onAuthRequired` to supply credentials for proxy authorization (but not for normal web authorization). The listener cannot cancel system requests or make any other modifications to any system requests.
 
 ## Syntax
 
@@ -80,16 +86,19 @@ Events have three functions:
 
     Returns: {{WebExtAPIRef('webRequest.BlockingResponse')}} or a {{jsxref("Promise")}}.
 
-    - To handle the request synchronously, include `"blocking"` in the `extraInfoSpec` parameter and return a `BlockingResponse` object, with its `cancel` or its `authCredentials` properties set.
-    - To handle the request asynchronously, include `"blocking"` in the `extraInfoSpec` parameter and return a `Promise` that is resolved with a `BlockingResponse` object, with its `cancel` or its `authCredentials` properties set.
+    - To handle the request synchronously, include `"blocking"` in the `extraInfoSpec` parameter and return a `BlockingResponse` object with its `cancel` or `authCredentials` properties set.
+      This behavior is the same for Firefox and Chrome. However, synchronous handling is only appropriate for the simplest of extensions.
+    - To handle the request asynchronously:
+      - in Firefox, the `extraInfoSpec` array must include `"blocking"`, and the event handler function can return a Promise that resolves to a `BlockingResponse` object, with its `cancel` or `authCredentials` properties set. This is basically the same as handling the event synchronously.
+      - in Chrome, the `extraInfoSpec` array must include `"asyncBlocking"` (without `"blocking"`). The event handler function is passed a second parameter (called `asyncCallback`) that is invoked with the `BlockingResponse` result, with its `cancel` or `authCredentials` properties set.
 
 - `filter`
-  - : {{WebExtAPIRef('webRequest.RequestFilter')}}. A filter that restricts the events that is sent to this listener.
+  - : {{WebExtAPIRef('webRequest.RequestFilter')}}. A filter that restricts the events that are sent to this listener.
 - `extraInfoSpec` {{optional_inline}}
 
   - : `array` of `string`. Extra options for the event. You can pass any of the following values:
 
-    - `"blocking"`: make the request block, so you can cancel the request or supply authentication credentials
+    - `"blocking"`: make the request block so you can cancel the request or supply authentication credentials
     - `"responseHeaders"`: include `responseHeaders` in the `details` object passed to the listener
 
 ## Additional objects
@@ -108,16 +117,16 @@ Events have three functions:
 - `cookieStoreId`
   - : `string`. If the request is from a tab open in a contextual identity, the cookie store ID of the contextual identity. See [Work with contextual identities](/en-US/docs/Mozilla/Add-ons/WebExtensions/Work_with_contextual_identities) for more information.
 - `frameId`
-  - : `integer`. This is `0` if the request happens in the main frame; a positive value is the ID of a subframe in which the request happens. If the document of a (sub-)frame is loaded (`type` is `main_frame` or `sub_frame`), `frameId` indicates the ID of this frame, not the ID of the outer frame. Frame IDs are unique within a tab.
+  - : `integer`. This is `0` if the request occurs in the main frame; a positive value is the ID of a subframe where the request happens. If the document of a (sub-)frame is loaded (`type` is `main_frame` or `sub_frame`), `frameId` indicates this frame's ID, not the outer frame's ID. Frame IDs are unique within a tab.
 - `incognito`
   - : `boolean`. Whether the request is from a private browsing window.
 - `isProxy`
   - : `boolean`. `true` for `Proxy-Authenticate`, `false` for `WWW-Authenticate`.
-    > **Note:** `webRequest.onAuthRequired` is only called for HTTP and HTTPS/TLS proxy servers requiring authentication, and not for SOCKS proxy servers requiring authentication.
+    > **Note:** `webRequest.onAuthRequired` is only called for HTTP and HTTPS/TLS proxy servers requiring authentication, not for SOCKS proxy servers requiring authentication.
 - `method`
   - : `string`. Standard HTTP method (For example, `"GET"` or `"POST"`).
 - `parentFrameId`
-  - : `integer`. ID of the frame that contains the frame which sent the request. Set to `-1` if no parent frame exists.
+  - : `integer`. ID of the frame that contains the frame that sent the request. Set to `-1` if no parent frame exists.
 - `proxyInfo`
 
   - : `object`. This property is present only if the request is being proxied. It contains the following properties:
@@ -140,35 +149,35 @@ Events have three functions:
     - `username`
       - : `string`. Username for the proxy service.
     - `proxyDNS`
-      - : `boolean`. True if the proxy will perform domain name resolution based on the hostname supplied, meaning that the client should not do its own DNS lookup.
+      - : `boolean`. True if the proxy performs domain name resolution based on the hostname supplied, meaning that the client should not do its own DNS lookup.
     - `failoverTimeout`
-      - : `integer`. Failover timeout in seconds. If the connection fails to connect the proxy server after this number of seconds, the next proxy server in the array returned from [FindProxyForURL()](</en-US/docs/Mozilla/Add-ons/WebExtensions/API/proxy#findproxyforurl()_return_value>) will be used.
+      - : `integer`. Failover timeout in seconds. If the connection fails to connect the proxy server after this number of seconds, the next proxy server in the array returned from [FindProxyForURL()](</en-US/docs/Mozilla/Add-ons/WebExtensions/API/proxy#findproxyforurl()_return_value>) is used.
 
 - `realm` {{optional_inline}}
   - : `string`. The authentication [realm](https://datatracker.ietf.org/doc/html/rfc1945#section-11) provided by the server, if there is one.
 - `requestId`
-  - : `string`. The ID of the request. Request IDs are unique within a browser session, so you can use them to relate different events associated with the same request.
+  - : `string`. The ID of the request. Request IDs are unique within a browser session, so you can relate different events associated with the same request.
 - `responseHeaders` {{optional_inline}}
-  - : {{WebExtAPIRef('webRequest.HttpHeaders')}}. The HTTP response headers that were received along with this response.
+  - : {{WebExtAPIRef('webRequest.HttpHeaders')}}. The HTTP response headers received with this response.
 - `scheme`
   - : `string`. The authentication scheme: `"basic"` or `"digest`".
 - `statusCode`
   - : `integer`. Standard HTTP status code returned by the server.
 - `statusLine`
-  - : `string`. HTTP status line of the response or the `'HTTP/0.9 200 OK'` string for HTTP/0.9 responses (i.e., responses that lack a status line) or an empty string if there are no headers.
+  - : `string`. HTTP status line of the response, the `'HTTP/0.9 200 OK'` string for HTTP/0.9 responses (i.e., responses that lack a status line), or an empty string if there are no headers.
 - `tabId`
-  - : `integer`. ID of the tab in which the request takes place. Set to `-1` if the request isn't related to a tab.
+  - : `integer`. ID of the tab where the request takes place. Set to `-1` if the request isn't related to a tab.
 - `thirdParty`
-  - : `boolean`. Indicates whether the request and its content window hierarchy are third party.
+  - : `boolean`. Indicates whether the request and its content window hierarchy are third-party.
 - `timeStamp`
   - : `number`. The time when this event fired, in [milliseconds since the epoch](https://en.wikipedia.org/wiki/Unix_time).
 - `type`
-  - : {{WebExtAPIRef('webRequest.ResourceType')}}. The type of resource being requested: for example, `"image"`, `"script"`, `"stylesheet"`.
+  - : {{WebExtAPIRef('webRequest.ResourceType')}}. The type of resource being requested: for example, `"image"`, `"script"`, or `"stylesheet"`.
 - `url`
   - : `string`. Target of the request.
 - `urlClassification`
 
-  - : `object`. The type of tracking associated with the request, if with the request has been classified by [Firefox Tracking Protection](https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop). This is an object with the following properties:
+  - : `object`. The type of tracking associated with the request if the request is classified by [Firefox Tracking Protection](https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop). This is an object with the following properties:
 
     - `firstParty`
       - : `array` of `strings`. Classification flags for the request's first party.
@@ -177,20 +186,16 @@ Events have three functions:
 
     The classification flags include:
 
-    - `fingerprinting` and `fingerprinting_content`: indicates the request is involved in fingerprinting. `fingerprinting_content` indicates the request is loaded from an origin that has been found to fingerprint but is not considered to participate in tracking, such as a payment provider.
+    - `fingerprinting` and `fingerprinting_content`: indicates the request is involved in fingerprinting. `fingerprinting_content` indicates the request is loaded from an origin found to fingerprint but is not considered to participate in tracking, such as a payment provider.
     - `cryptomining` and `cryptomining_content`: similar to the fingerprinting category but for cryptomining resources.
-    - `tracking`, `tracking_ad`, `tracking_analytics`, `tracking_social`, and `tracking_content`: indicates the request is involved in tracking. `tracking` is any generic tracking request, the `ad`, `analytics`, `social`, and `content` suffixes identify the type of tracker.
-    - `any_basic_tracking`: a meta flag that combines any tracking and fingerprinting flags, excluding `tracking_content` and `fingerprinting_content`.
-    - `any_strict_tracking`: a meta flag that combines any tracking and fingerprinting flags, including `tracking_content` and `fingerprinting_content`.
+    - `tracking`, `tracking_ad`, `tracking_analytics`, `tracking_social`, and `tracking_content`: indicates the request is involved in tracking. `tracking` is any generic tracking request. The `ad`, `analytics`, `social`, and `content` suffixes identify the type of tracker.
+    - `any_basic_tracking`: a meta flag that combines tracking and fingerprinting flags, excluding `tracking_content` and `fingerprinting_content`.
+    - `any_strict_tracking`: a meta flag that combines tracking and fingerprinting flags, including `tracking_content` and `fingerprinting_content`.
     - `any_social_tracking`: a meta flag that combines any social tracking flags.
 
-## Browser compatibility
-
-{{Compat}}
-
 ## Examples
 
-This code just observes authentication requests for the target URL:
+This code observes authentication requests for the target URL:
 
 ```js
 const target = "https://intranet.company.com/";
@@ -217,7 +222,7 @@ browser.webRequest.onAuthRequired.addListener(cancel, { urls: [target] }, [
 ]);
 ```
 
-This code supplies credentials synchronously. It has to keep track of outstanding requests, to ensure that it doesn't repeatedly try to submit bad credentials:
+This code supplies credentials synchronously. It keeps track of outstanding requests to ensure that it doesn't repeatedly try to submit bad credentials:
 
 ```js
 const target = "https://intranet.company.com/";
@@ -262,7 +267,7 @@ browser.webRequest.onCompleted.addListener(completed, { urls: [target] });
 browser.webRequest.onErrorOccurred.addListener(completed, { urls: [target] });
 ```
 
-This code supplies credentials asynchronously, fetching them from storage. It also has to keep track of outstanding requests, to ensure that it doesn't repeatedly try to submit bad credentials:
+This code supplies credentials asynchronously, fetching them from storage. It also keeps track of outstanding requests to ensure that it doesn't repeatedly try to submit bad credentials:
 
 ```js
 const target = "https://httpbin.org/basic-auth/*";
@@ -309,6 +314,10 @@ browser.webRequest.onErrorOccurred.addListener(completed, { urls: [target] });
 
 {{WebExtExamples}}
 
+## Browser compatibility
+
+{{Compat}}
+
 > **Note:** This API is based on Chromium's [`chrome.webRequest`](https://developer.chrome.com/docs/extensions/reference/webRequest/#event-onAuthRequired) API. This documentation is derived from [`web_request.json`](https://chromium.googlesource.com/chromium/src/+/master/extensions/common/api/web_request.json) in the Chromium code.
 
 <!--

@@ -126,6 +126,7 @@ These permissions are available in Manifest V2 and above unless otherwise noted:
 - `unlimitedStorage`
 - `webNavigation`
 - `webRequest`
+- `webRequestAuthProvider` (Manifest V3 and above)
 - `webRequestBlocking`
 - `webRequestFilterResponse`
 - `webRequestFilterResponse.serviceWorkerScript`