Blocking webRequest use case - alternative authentication schemes #168
Labels
topic: dnr
Related to declarativeNetRequest
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Blocking
webRequestis the only tool available to developers to create custom authentication schemes.Common methods to send credentials with top level requests are: cookies, basic HTTP authentication and client-side certificates.
Cookies have a number of disadvantages: were never intended to prevent linking requests from the same user; are stored in the browser and can leak easily; are included in all requests to a given domain (even when they are not needed).
Browsers do not provide built-in tools for using token-based authentication (oauth, etc) in top level requests.
Blocking
webRequestallows reading, modifying and removing http headers, which allows developers to experiment with new authentication models.The WebExtension
cookiepermission is not a solution, as cookies are being set globally.Examples
There are use-cases that cannot be implemented without the help of WebExtension:
Ghostery example: Private Search
The Ghostery search (https://glowstery.com/)
is a website that uses server side rendering. It is public, but displays private sponsored links unless a user has a subscription. To prove that a request is from a subscribed user, a token is inserted (generated in advance with a blind signature scheme). The token is inserted as a custom HTTP header.
Cookies cannot be used in for private search engines, as they would link all requests and thus reveal the user's search history.
Currently, it is implemented as follows:
glowstery.com, generates a token, and updates the requests by setting the custom header (here the blocking webRequest API is used)The text was updated successfully, but these errors were encountered: