It's kind of working on accident, but only because a bunch of bugs are cancelling each other out.

First, the life cycle diagram in the documentation is wrong. If HTTP auth is canceled, there is no extra request. The HTTP 401 response is simply passed on to the caller. So that means we'd either go from onAuthRequired straight to onResponseStarted, or we repeat onHeadersReceived. HTTP auth has been around forever, so I don't believe that state machine's ever been correct.
https://developer.chrome.com/extensions/webRequest

Right now URLRequest repeats NotifyHeadersReceived on CancelAuth. That means it should clear the response header override (failing to do so causes extensions bugs like  issue #801237 ). However, webRequest does not expect that extra onHeadersReceived, and so it actually leaves the override alone. Thus if we fix the CancelAuth leg of the URLRequest bug, webRequest's header injection on canceling auth will break.

I think the possible end states here are:

- OnReceivedHeaders only ever gets called after auth is resolved, and OnStartTransaction isn't called for restarts. This is probably too invasive of a change.

- OnReceivedHeaders does not get called a second time on the same response if we do CancelAuth. webRequest goes straight from onAuthRequired to onResponseStarted.

- webRequest sees two onReceivedHeaders events when auth is cancelled. The state machine goes from onAuthRequired to onReceivedHeaders to onResponseStarted.