Contact emails pb...@google.com
Explainer None Specification Summary Removes the default X-Requested-With header from HTTP requests made by WebView. The X-Requested-With header is set by WebView, with the package name of the embedding apk as the value. This use of the header will be discontinued. Blink component Mobile>WebView <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> Motivation The header as implemented in WebView does not follow the principle of meaningful consent of all parties exchanging the information[1]. Developer can utilize unreliable and undocumented methods to opt-out. Users are not provided with an opt-out option. The content owner is the only party with full control over the information provided in the header. APK name is also an abundant source of passive fingerprinting information about the users. It contains specific information about the browsing context. When the application is not omnipresent (i.e. has a relatively small user base), together with other information (e.g. approx. geolocation based on an IP address), it can provide a fairly unique identifier of a user. On top of those privacy issues, the header is undocumented, used in non-WebView context for a completely different purpose, notoriously misunderstood, and causing security issues since its introduction. [1]: https://w3ctag.github.io/design-principles/#consent Initial public proposal Search tags Headers <https://chromestatus.com/features#tags:Headers> TAG review TAG review status Not applicable Risks Interoperability and Compatibility Gecko: N/A WebKit: N/A Web developers: No signals Other signals: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? This feature removes a header sent by default by WebView. It should have no direct impact on applications using WebViews, but sites loaded in the WebView will no longer receive the X-Requested-With header unless the app explicitly allowlist the site[1] to receive the header or the site participates in the deprecation trial. [1]: https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E) Debuggability Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? No Flag name WebViewXRequestedWithHeaderControl Requires code in //chrome? False Tracking bug https://crbug.com/960720 Launch bug https://launch.corp.google.com/launch/4136516 Estimated milestones DevTrial on Android 109 OriginTrial webView first 110 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5160086884843520 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. Sincerely, [image: Google Logo] Peter Birk Pakkenberg Software Engineer pb...@google.com +447469379358 -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjv0PC76S%3DZkg66V_KCPfrb3tAnryWGnA6TfQz-ay2yXKA%40mail.gmail.com.