On one hand, RFC 7617 Section 2 clearly states that the parameter realm is REQUIRED in Basic authentication scheme:
The Basic authentication scheme utilizes the Authentication Framework as follows.
In challenges:
o The scheme name is "Basic".
o The authentication parameter 'realm' is REQUIRED ([RFC7235], Section 2.2).
On the other hand, in Mozilla docs the parameter realm is marked as OPTIONAL in the Basic section of WWW-Authenticate header description, and the Syntax section additionally confirms it:
For example, Basic authentication allows for optional realm and charset keys, but does not support token68.
WWW-Authenticate: Basic
WWW-Authenticate: Basic realm=<realm>
WWW-Authenticate: Basic realm=<realm>, charset="UTF-8"
Also this Stackoverflow answer mentions that realm is no longer always required and links to RFC 7235 Section 4.1. But I can't seem to find the proof of this statement in the mentioned RFC, except for maybe this fragment in the Appendix A (not very convincing, especially since this RFC is from 2014 and 7617 - from 2015):
Appendix A. Changes from RFCs 2616 and 2617
The framework for HTTP Authentication is now defined by this document, rather than RFC 2617.
The "realm" parameter is no longer always required on challenges; consequently, the ABNF allows challenges without any auth parameters. (Section 2)
Moreover, in practice most modern browsers seem to work perfectly fine if the realm parameter is missing in the WWW-Authenticate header.
So, is realm still considered a required parameter in the case of Basic authentication?
Yes, realm is required. MDN docs were incorrect and have been fixed.