Authentication issue with our own add-on


we developed an own Firefox add-on to provide additional functionality to our employees.

Our setup is an Apache web server which provides our internal CMS. The CMS needs authentication via the htaccess.

As soon as the user was logged in tot he CMS successfully on a separate tab also our add-on started to work and loaded the content from the CMS server.

However, since Firefox version 85.0.1 or 85.0.2 – I am currently not sure anymore - our add-on suddently receives 401 authentication required instead of just getting the content.

We tried different things to solve the issue. We already:

  • Made an options request before the actual get request and set withCredentials = true
  • We added Header set Access-Control-Allow-Credentials "true“ tot he Apache vhost configuration

However, unfortunately, nothing worked. Sometimes, the add-on loads the content for unknown reasons but then again it returns with 401.

I setup a completely new Firefox within the Windows Sandbox and installed the add-on there. At the first time the add-on worked properly even after closing and restarting Firefox and re-authenticate into the CMS several times but after a while the add-on in the Windows Sandbox also refused to work and started to return a 401 error.

We do not have any clue why this happens and what we also could do to solve the issue. Is there any change in the newer Firefox versions which would explain this behaviour?

What would be the propper way to pass the authentication details which were provided by the user in a tab to the add-on?

Thank you very much in advance!

Kind regards,

Michael Jünger

Hi Michael, I wonder whether this is related to increased site data partitioning in Firefox 85?

1 Like

Hi, thank you very much for your hint.

I added our domain to the excepted websites and played around with the security settings but unfortunately with no luck.
I again compared the behavior with the ESR version of Firefox where our add-on still works fine. The difference between the ESR and the newest Firefox is that the Authorization header is missing in the newer Firefox but sent in ESR when we do the GET request to fetch the content for our add-on.

Since we don’t have any idea we also tried to do an OPTIONS request befpre the GET request to force a preflight request but this also does not change anything.

You should see an automatic pre-flight request if it is required in the network inspector. If you don’t see one, I guess the request isn’t considered to be cross origin.

The best way to get this resolved would likely to get a publicly reproducible minimal example. So an extension that does as little as possible, that everyone can try. This could then in the worst case be used to report a new bug.