Fired when the server sends a 401 status code: that is, when the server is asking the client to provide authentication credentials such as a username and password.
The listener can respond in one of four different ways:
Take no action: the listener can do nothing, just observing the request. If this happens, it will have no effect on the handling of the request, and the browser will probably just ask the user to log in.
Cancel the request: the listener can cancel the request. If they do this, then authentication will fail, and the user will not be asked to log in. Add-ons can cancel requests as follows:
- in addListener, pass
"blocking"
in theextraInfoSpec
parameter - in the listener itself, return an object with a
cancel
property set totrue
Provide credentials synchronously: if credentials are available synchronously, the add-on can supply them synchronously. If the add-on does this, then the browser will attempt to log in with the given credentials. The listener can provide credentials synchronously as follows:
- in addListener, pass
"blocking"
in theextraInfoSpec
parameter - in the listener, return an object with an
authCredentials
property set to the credentials to supply
Provide credentials asynchronously: the add-on might need to fetch credentials asynchronously. For example, the add-on might need to fetch credentials from storage, or ask the user. In this case, the listener can supply credentials asynchronously as follows:
- in addListener, pass
"asyncBlocking"
in theextraInfoSpec
parameter - the listener then gets passed an extra argument, which is a callback. When the listener has the credentials, it calls the callback, passing it an object with an
authCredentials
property set to the credentials to supply.
See Examples.
If you use "blocking"
or "asyncBlocking"
, you must have the "webRequestBlocking" API permission in your manifest.json.
If your add-on provides bad credentials, then the listener will be called again. For this reason, take care not to enter an infinite loop by repeatedly providing bad credentials.
Syntax
browser.webRequest.onAuthRequired.addListener(function( details, // object function(response) {...} // optional function ) {...}) browser.webRequest.onAuthRequired.removeListener(listener) browser.webRequest.onAuthRequired.hasListener(listener)
Events have three functions:
addListener(callback, filter, extraInfoSpec)
- Adds a listener to this event.
removeListener(listener)
- Stop listening to this event. The
listener
argument is the listener to remove. hasListener(listener)
- Check whether
listener
is registered for this event. Returnstrue
if it is listening,false
otherwise.
addListener syntax
Parameters
callback
-
A function that will be called when this event occurs. The function will be passed the following arguments:
callback
function
. If theextraInfoSpec
parameter includes"asyncBlocking"
, then this callback argument will be passed to the listener. Call it to send credentials back to the browser. The function is passed the following arguments:-
response
webRequest.BlockingResponse
. ABlockingResponse
object, with either itscancel
or itsauthCredentials
properties set.
Returns:
webRequest.BlockingResponse
. If theextraInfoSpec
parameter includes"blocking"
, the event listener should return aBlockingResponse
object, and can set either itscancel
or itsauthCredentials
properties. filter
webRequest.RequestFilter
. A filter that restricts the events that will be sent to this listener.extraInfoSpec
Optionalarray
ofstring
. Extra options for the event. You can pass any of the following values:-
"blocking"
: make the request synchronous, so you can cancel the request or supply authentication credentials"asyncBlocking"
: pass a callback argument to the event listener, so you can supply authentication credentials asynchronously. If you include this option, you can also cancel asynchronously. If you include this option, you must not include"blocking"
."
responseHeaders
"
: includeresponseHeaders
in thedetails
object passed to the listener
Additional objects
details
requestId
string
. The ID of the request. Request IDs are unique within a browser session, so you can use them to relate different events associated with the same request.url
string
. Target of the request.method
string
. Standard HTTP method: for example, "GET" or "POST".frameId
integer
. Zero if the request happens in the main frame; a positive value is the ID of a subframe in which the request happens. If the document of a (sub-)frame is loaded (type
ismain_frame
orsub_frame
),frameId
indicates the ID of this frame, not the ID of the outer frame. Frame IDs are unique within a tab.parentFrameId
integer
. ID of the frame that contains the frame which sent the request. Set to -1 if no parent frame exists.tabId
integer
. ID of the tab in which the request takes place. Set to -1 if the request isn't related to a tab.type
webRequest.ResourceType
. The type of resource being requested: for example, "image", "script", "stylesheet".timeStamp
number
. The time when this event fired, in milliseconds since the epoch.scheme
string
. The authentication scheme:"basic"
or"digest
".realm
Optionalstring
. The authentication realm provided by the server, if there is one.challenger
object
. The server requesting authentication. This is an object with the following properties:-
host
string
. The server's hostname.port
integer
. The server's port number.
isProxy
boolean
.true
for Proxy-Authenticate,false
for WWW-Authenticate.responseHeaders
OptionalwebRequest.HttpHeaders
. The HTTP response headers that were received along with this response.statusLine
string
. HTTP status line of the response or the 'HTTP/0.9 200 OK' string for HTTP/0.9 responses (i.e., responses that lack a status line) or an empty string if there are no headers.statusCode
integer
. Standard HTTP status code returned by the server.
Browser compatibility
Examples
This code just observes authentication requests for the target URL:
var target = "https://intranet.company.com/"; function observe(requestDetails) { console.log("observing: " + requestDetails.requestId); } chrome.webRequest.onAuthRequired.addListener( observe, {urls: [target]} );
This code cancels authentication requests for the target URL:
var target = "https://intranet.company.com/"; function cancel(requestDetails) { console.log("canceling: " + requestDetails.requestId); return {cancel: true}; } chrome.webRequest.onAuthRequired.addListener( cancel, {urls: [target]}, ["blocking"] );
This code supplies credentials synchronously. It has to keep track of outstanding requests, to ensure that it doesn't repeatedly try to submit bad credentials:
var target = "https://intranet.company.com/"; var myCredentials = { username: "me@company.com", password: "zDR$ERHGDFy" } var pendingRequests = []; // A request has completed. // We can stop worrying about it. function completed(requestDetails) { console.log("completed: " + requestDetails.requestId); var index = pendingRequests.indexOf(requestDetails.requestId); if (index > -1) { pendingRequests.splice(index, 1); } } function provideCredentialsSync(requestDetails) { // If we have seen this request before, then // assume our credentials were bad, and give up. if (pendingRequests.indexOf(requestDetails.requestId) != -1) { console.log("bad credentials for: " + requestDetails.requestId); return {cancel:true}; } pendingRequests.push(requestDetails.requestId); console.log("providing credentials for: " + requestDetails.requestId); return {authCredentials: myCredentials}; } chrome.webRequest.onAuthRequired.addListener( provideCredentialsSync, {urls: [target]}, ["blocking"] ); chrome.webRequest.onCompleted.addListener( completed, {urls: [target]} ); chrome.webRequest.onErrorOccurred.addListener( completed, {urls: [target]} );
This code supplies credentials asynchronously, fetching them from storage. It also has to keep track of outstanding requests, to ensure that it doesn't repeatedly try to submit bad credentials:
var target = "https://intranet.company.com/"; var pendingRequests = []; // A request has completed. // We can stop worrying about it. function completed(requestDetails) { console.log("completed: " + requestDetails.requestId); var index = pendingRequests.indexOf(requestDetails.requestId); if (index > -1) { pendingRequests.splice(index, 1); } } function provideCredentialsAsync(requestDetails, callback) { function gotCredentials(credentials) { callback({authCredentials: credentials}); } // If we have seen this request before, // then assume our credentials were bad, // and give up. if (pendingRequests.indexOf(requestDetails.requestId) != -1) { console.log("bad credentials for: " + requestDetails.requestId); callback({cancel:true}); } else { pendingRequests.push(requestDetails.requestId); console.log("providing credentials for: " + requestDetails.requestId); chrome.storage.local.get(null, gotCredentials); } } chrome.webRequest.onAuthRequired.addListener( provideCredentialsAsync, {urls: [target]}, ["asyncBlocking"] ); chrome.webRequest.onCompleted.addListener( completed, {urls: [target]} ); chrome.webRequest.onErrorOccurred.addListener( completed, {urls: [target]} );
This API is based on Chromium's chrome.webRequest
API. This documentation is derived from web_request.json
in the Chromium code.
// Copyright 2015 The Chromium Authors. All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are // met: // // * Redistributions of source code must retain the above copyright // notice, this list of conditions and the following disclaimer. // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following disclaimer // in the documentation and/or other materials provided with the // distribution. // * Neither the name of Google Inc. nor the names of its // contributors may be used to endorse or promote products derived from // this software without specific prior written permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.