1 <h2 id="manifest">Manifest</h2> 2 <p>You must declare the "webRequest" permission in the <a 3 href="manifest">extension manifest</a> to use the web request 4 API, along with <a href="declare_permissions">host permissions</a> 5 for any hosts whose network requests you want to access. If you want to 6 use the web request API in a blocking fashion, you need to request 7 the "webRequestBlocking" permission in addition. 8 For example:</p> 9 <pre data-filename="manifest.json"> 10 { 11 "name": "My extension", 12 ... 13 <b>"permissions": [ 14 "webRequest", 15 "*://*.google.com/" 16 ]</b>, 17 ... 18 } 19 </pre> 20 21 <h2 id="life_cycle">Life cycle of requests</h2> 22 23 <p> 24 The web request API defines a set of events that follow the life cycle of a web 25 request. You can use these events to observe and analyze traffic. Certain 26 synchronous events will allow you to intercept, block, or modify a request. 27 </p> 28 29 <p> 30 The event life cycle for successful requests is illustrated here, followed by 31 event definitions:<br/> 32 <img src="{{static}}/images/webrequestapi.png" 33 width="385" height="503" 34 alt="Life cycle of a web request from the perspective of the webrequest API" 35 style="margin-left: auto; margin-right: auto; display: block"/> 36 </p> 37 38 <p> 39 <dl> 40 <dt><code>onBeforeRequest</code> (optionally synchronous)</dt> 41 <dd>Fires when a request is about to occur. This event is sent before any TCP 42 connection is made and can be used to cancel or redirect requests.</dd> 43 <dt><code>onBeforeSendHeaders</code> (optionally synchronous)</dt> 44 <dd>Fires when a request is about to occur and the initial headers have been 45 prepared. The event is intended to allow extensions to add, modify, and delete 46 request headers <a href="#life_cycle_footnote">(*)</a>. The 47 <code>onBeforeSendHeaders</code> event is passed to all subscribers, so 48 different subscribers may attempt to modify the request; see the <a 49 href="#implementation">Implementation details</a> section for how this is 50 handled. This event can be used to cancel the request.</dd> 51 <dt><code>onSendHeaders</code></dt> 52 <dd>Fires after all extensions have had a chance to modify the request 53 headers, and presents the final <a href="#life_cycle_footnote">(*)</a> 54 version. The event is triggered before the headers are sent to the network. 55 This event is informational and handled asynchronously. It does not allow 56 modifying or cancelling the request.</dd> 57 <dt><code>onHeadersReceived</code> (optionally synchronous)</dt> 58 <dd>Fires each time that an HTTP(S) response header is received. Due 59 to redirects and authentication requests this can happen multiple times per 60 request. This event is intended to allow extensions to add, modify, and delete 61 response headers, such as incoming Set-Cookie headers. It also allows you to 62 redirect the request.</dd> 63 <dt><code>onAuthRequired</code> (optionally synchronous)</dt> 64 <dd>Fires when a request requires authentication of the user. This event can 65 be handled synchronously to provide authentication credentials. Note that 66 extensions may provide invalid credentials. Take care not to enter an infinite 67 loop by repeatedly providing invalid credentials.</dd> 68 <dt><code>onBeforeRedirect</code></dt> 69 <dd>Fires when a redirect is about to be executed. A redirection can be 70 triggered by an HTTP response code or by an extension. This event is 71 informational and handled asynchronously. It does not allow you to modify or 72 cancel the request. </dd> 73 <dt><code>onResponseStarted</code></dt> 74 <dd>Fires when the first byte of the response body is received. For HTTP 75 requests, this means that the status line and response headers are 76 available. This event is informational and handled asynchronously. It does not 77 allow modifying or cancelling the request.</dd> 78 <dt><code>onCompleted</code></dt> 79 <dd>Fires when a request has been processed successfully.</dd> 80 <dt><code>onErrorOccurred</code></dt> 81 <dd>Fires when a request could not be processed successfully.</dd> 82 </dl> 83 The web request API guarantees that for each request either 84 <code>onCompleted</code> or <code>onErrorOccurred</code> is fired as the final 85 event with one exception: If a request is redirected to a <code>data://</code> 86 URL, <code>onBeforeRedirect</code> is the last reported event. 87 </p> 88 89 <p id="life_cycle_footnote">(*) Note that the web request API presents an 90 abstraction of the network stack to the extension. Internally, one URL request 91 can be split into several HTTP requests (for example to fetch individual byte 92 ranges from a large file) or can be handled by the network stack without 93 communicating with the network. For this reason, the API does not provide the 94 final HTTP headers that are sent to the network. For example, all headers that 95 are related to caching are invisible to the extension.</p> 96 97 <p>The following headers are currently <b>not provided</b> to the 98 <code>onBeforeSendHeaders</code> event. This list is not guaranteed to be 99 complete nor stable. 100 <ul> 101 <li>Authorization</li> 102 <li>Cache-Control</li> 103 <li>Connection</li> 104 <li>Content-Length</li> 105 <li>Host</li> 106 <li>If-Modified-Since</li> 107 <li>If-None-Match</li> 108 <li>If-Range</li> 109 <li>Partial-Data</li> 110 <li>Pragma</li> 111 <li>Proxy-Authorization</li> 112 <li>Proxy-Connection</li> 113 <li>Transfer-Encoding</li> 114 </ul> 115 </p> 116 117 <p> 118 The webRequest API only exposes requests that the extension has 119 permission to see, given its 120 <a href="declare_permissions">host permissions</a>. 121 Moreover, only the following schemes are accessible: 122 <code>http://</code>, 123 <code>https://</code>, 124 <code>ftp://</code>, 125 <code>file://</code>, or 126 <code>chrome-extension://</code>. 127 In addition, even certain requests with URLs using one of the above schemes 128 are hidden, e.g., 129 <code>chrome-extension://other_extension_id</code> where 130 <code>other_extension_id</code> is not the ID of the extension to handle 131 the request, 132 <code>https://www.google.com/chrome</code>, 133 and others (this list is not complete). Also synchronous XMLHttpRequests from 134 your extension are hidden from blocking event handlers in order to prevent 135 deadlocks. 136 Note that for some of the supported schemes the set of available events might be 137 limited due to the nature of the corresponding protocol. 138 For example, for the <q>file:</q> scheme, only <code>onBeforeRequest</code>, 139 <code>onResponseStarted</code>, <code>onCompleted</code>, and 140 <code>onErrorOccurred</code> may be dispatched. 141 </p> 142 143 <h2 id="concepts">Concepts</h2> 144 145 <p>As the following sections explain, events in the web request API use request 146 IDs, and you can optionally specify filters and extra information when you 147 register event listeners.</p> 148 149 <h3 id="Request IDs">Request IDs</h3> 150 151 <p>Each request is identified by a request ID. This ID is unique within a 152 browser session and the context of an extension. It remains constant during the 153 the life cycle of a request and can be used to match events for the same 154 request. Note that several HTTP requests are mapped to one web request in case 155 of HTTP redirection or HTTP authentication.</p> 156 157 <h3 id="subscription">Registering event listeners</h3> 158 159 <p>To register an event listener for a web request, you use a variation on the 160 <a href="events">usual <code>addListener()</code> function</a>. 161 In addition to specifying a callback function, 162 you have to specify a filter argument and you may specify an optional extra info 163 argument.</p> 164 165 <p>The three arguments to the web request API's <code>addListener()</code> have 166 the following definitions:</p> 167 <pre> 168 var callback = function(details) {...}; 169 var filter = {...}; 170 var opt_extraInfoSpec = [...]; 171 </pre> 172 173 <p>Here's an example of listening for the <code>onBeforeRequest</code> 174 event:</p> 175 <pre> 176 chrome.webRequest.onBeforeRequest.addListener( 177 callback, filter, opt_extraInfoSpec); 178 </pre> 179 180 <p>Each <code>addListener()</code> call takes a mandatory callback function as 181 the first parameter. This callback function is passed a dictionary containing 182 information about the current URL request. The information in this dictionary 183 depends on the specific event type as well as the content of 184 <code>opt_extraInfoSpec</code>.</p> 185 186 <p>If the optional <code>opt_extraInfoSpec</code> array contains the string 187 <code>'blocking'</code> (only allowed for specific events), the callback 188 function is handled synchronously. That means that the request is blocked until 189 the callback function returns. In this case, the callback can return a 190 $(ref:webRequest.BlockingResponse) that determines the further 191 life cycle of the request. Depending on the context, this response allows 192 cancelling or redirecting a request (<code>onBeforeRequest</code>), cancelling a 193 request or modifying headers (<code>onBeforeSendHeaders</code>, 194 <code>onHeadersReceived</code>), or providing authentication credentials 195 (<code>onAuthRequired</code>).</p> 196 197 <p>The $(ref:webRequest.RequestFilter) 198 <code>filter</code> allows limiting the requests for which events are 199 triggered in various dimensions: 200 <dl> 201 <dt>URLs</dt> 202 <dd><a href="match_patterns">URL patterns</a> such as 203 <code>*://www.google.com/foo*bar</code>.</dd> 204 <dt>Types</dt> 205 <dd>Request types such as <code>main_frame</code> (a document that is loaded 206 for a top-level frame), <code>sub_frame</code> (a document that is loaded for 207 an embedded frame), and <code>image</code> (an image on a web site). 208 See $(ref:webRequest.RequestFilter).</dd> 209 <dt>Tab ID</dt> 210 <dd>The identifier for one tab.</dd> 211 <dt>Window ID</dt> 212 <dd>The identifier for a window.</dd> 213 </p> 214 215 <p>Depending on the event type, you can specify strings in 216 <code>opt_extraInfoSpec</code> to ask for additional information about the 217 request. This is used to provide detailed information on request's data only 218 if explicitly requested.</p> 219 220 <h2 id="implementation">Implementation details</h2> 221 222 <p>Several implementation details can be important to understand when developing 223 an extension that uses the web request API:</p> 224 225 <h3 id="conflict_resolution">Conflict resolution</h3> 226 <p>In the current implementation of the web request API, a request is considered 227 as cancelled if at least one extension instructs to cancel the request. If 228 an extension cancels a request, all extensions are notified by an 229 <code>onErrorOccurred</code> event. Only one extension is allowed to redirect a 230 request or modify a header at a time. If more than one extension attempts to 231 modify the request, the most recently installed extension wins and all others 232 are ignored. An extension is not notified if its instruction to modify or 233 redirect has been ignored.</p> 234 235 <h3 id="caching">Caching</h3> 236 <p> 237 Chrome employs two caches — an on-disk cache and a very fast in-memory 238 cache. The lifetime of an in-memory cache is attached to the lifetime of a 239 render process, which roughly corresponds to a tab. Requests that are answered 240 from the in-memory cache are invisible to the web request API. If a request 241 handler changes its behavior (for example, the behavior according to which 242 requests are blocked), a simple page refresh might not respect this changed 243 behavior. To make sure the behavior change goes through, call 244 <code>handlerBehaviorChanged()</code> to flush the in-memory cache. But don't do 245 it often; flushing the cache is a very expensive operation. You don't need to 246 call <code>handlerBehaviorChanged()</code> after registering or unregistering an 247 event listener.</p> 248 249 <h3 id="timestamps">Timestamps</h3> 250 <p> 251 The <code>timestamp</code> property of web request events is only guaranteed to 252 be <i>internally</i> consistent. Comparing one event to another event will give 253 you the correct offset between them, but comparing them to the current time 254 inside the extension (via <code>(new Date()).getTime()</code>, for instance) 255 might give unexpected results. 256 </p> 257 258 <h2 id="examples">Examples</h2> 259 260 <p>The following example illustrates how to block all requests to 261 <code>www.evil.com</code>:</p> 262 <pre> 263 chrome.webRequest.onBeforeRequest.addListener( 264 function(details) { 265 return {cancel: details.url.indexOf("://www.evil.com/") != -1}; 266 }, 267 {urls: ["<all_urls>"]}, 268 ["blocking"]); 269 </pre> 270 271 <p>As this function uses a blocking event handler, it requires the "webRequest" 272 as well as the "webRequestBlocking" permission in the manifest file.</p> 273 274 <p>The following example achieves the same goal in a more efficient way because 275 requests that are not targeted to <code>www.evil.com</code> do not need to be 276 passed to the extension:</p> 277 <pre> 278 chrome.webRequest.onBeforeRequest.addListener( 279 function(details) { return {cancel: true}; }, 280 {urls: ["*://www.evil.com/*"]}, 281 ["blocking"]); 282 </pre> 283 284 <p>The following example illustrates how to delete the User-Agent header from 285 all requests:</p> 286 <pre> 287 chrome.webRequest.onBeforeSendHeaders.addListener( 288 function(details) { 289 for (var i = 0; i < details.requestHeaders.length; ++i) { 290 if (details.requestHeaders[i].name === 'User-Agent') { 291 details.requestHeaders.splice(i, 1); 292 break; 293 } 294 } 295 return {requestHeaders: details.requestHeaders}; 296 }, 297 {urls: ["<all_urls>"]}, 298 ["blocking", "requestHeaders"]); 299 </pre> 300 301 <p> For more example code, see the <a href="samples#webrequest">web request 302 samples</a>.</p> 303
