Re: [blink-dev] Intent to Deprecate: X-Requested-With in WebView

[Mike Taylor]

I'm a big fan of removing passive fingerprinting signals, so thanks for 
driving this work. Just a few questions:

https://bugs.chromium.org/p/chromium/issues/detail?id=960720#c2 stated 
that "changing the default behaviour would be a significant 
compatibility risk" - I assume your team is going to publish some 
migration guidance for developers to reduce the risk. Can you confirm?

Also, this intent mentions a deprecation trial - does that already 
exist? Could you give more details on the plans there? (I don't recall 
seeing a "Request for Deprecation Trial" for that, but I'm bad at email...)

Can you also clarify your proposed timelines (for the deprecation trial, 
and removal)?

thanks,
Mike

On 12/19/22 12:13 PM, 'Peter Birk Pakkenberg' via blink-dev wrote:
Hi Rick,

Yes - removal is part of the goal here.

Sincerely,
Google Logo     
Peter Birk Pakkenberg
Software Engineer
pb...@google.com
+447469379358



On Mon, 19 Dec 2022 at 17:08, Rick Byers <rby...@chromium.org> wrote:

    Thanks for working to remove this non-standard WebView-only
    behavior, I agree it's a privacy issue. I assume this is an
    "Intent to Deprecate and Remove
    
<https://www.chromium.org/blink/launching-features/#:~:text=%E2%80%9CIntent%20to%20Deprecate%20and%20Remove%E2%80%9D>"
    looking for permission to remove this behavior (not just mark it
    'deprecated'), is that right?

    If so, LGTM1.

    There may still be some compat and developer messaging risks, but
    the WebView team (of which Peter is a member) are the right
    experts to navigate those.



    On Mon, Dec 19, 2022 at 5:18 AM 'Peter Birk Pakkenberg' via
    blink-dev <blink-dev@chromium.org> wrote:


                Contact emails

        pb...@google.com


                Explainer

        None


                Specification



                Summary

        Removes the default X-Requested-With header from HTTP requests
        made by WebView.


        The X-Requested-With header is set by WebView, with the
        package name of the embedding apk as the value.

        This use of the header will be discontinued.



                Blink component

        Mobile>WebView
        
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView>


                Motivation

        The header as implemented in WebView does not follow the
        principle of meaningful consent of all parties exchanging the
        information[1]. Developer can utilize unreliable and
        undocumented methods to opt-out.

        Users are not provided with an opt-out option. The content
        owner is the only party with full control over the information
        provided in the header.


        APK name is also an abundant source of passive fingerprinting
        information about the users. It contains specific information
        about the browsing context. When the application is not
        omnipresent (i.e. has a relatively small user base), together
        with other information (e.g. approx. geolocation based on an
        IP address), it can provide a fairly unique identifier of a user.


        On top of those privacy issues, the header is undocumented,
        used in non-WebView context for a completely different
        purpose, notoriously misunderstood, and causing security
        issues since its introduction.


        [1]:https://w3ctag.github.io/design-principles/#consent
        <https://w3ctag.github.io/design-principles/#consent>




                Initial public proposal



                Search tags

        Headers <https://chromestatus.com/features#tags:Headers>


                TAG review



                TAG review status

        Not applicable


                Risks



                Interoperability and Compatibility



        Gecko: N/A


        WebKit: N/A


        Web developers: No signals


        Other signals:


                WebView application risks

        Does this intent deprecate or change behavior of existing
        APIs, such that it has potentially high risk for Android
        WebView-based applications?

        This feature removes a header sent by default by WebView. It
        should have no direct impact on applications using WebViews,
        but sites loaded in the WebView will no longer receive the
        X-Requested-With header unless the app explicitly allowlist
        the site[1] to receive the header or the site participates in
        the deprecation trial.


        
[1]:https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)
        
<https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)>



                Debuggability



                Is this feature fully tested by web-platform-tests
                
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?

        No


                Flag name

        WebViewXRequestedWithHeaderControl


                Requires code in //chrome?

        False


                Tracking bug

        https://crbug.com/960720 <https://crbug.com/960720>


                Launch bug

        https://launch.corp.google.com/launch/4136516
        <https://launch.corp.google.com/launch/4136516>


                Estimated milestones


        DevTrial on Android

                

        109


        OriginTrial webView first

                

        110




                Link to entry on the Chrome Platform Status

        https://chromestatus.com/feature/5160086884843520
        <https://chromestatus.com/feature/5160086884843520>


        This intent message was generated by Chrome Platform Status
        <https://chromestatus.com/>.



        Sincerely,
        Google Logo     
        Peter Birk Pakkenberg
        Software Engineer
        pb...@google.com
        +447469379358 <tel:+44%207469%20379358>

        -- 
        You received this message because you are subscribed to the
        Google Groups "blink-dev" group.
        To unsubscribe from this group and stop receiving emails from
        it, send an email to blink-dev+unsubscr...@chromium.org.
        To view this discussion on the web visit
        
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjv0PC76S%3DZkg66V_KCPfrb3tAnryWGnA6TfQz-ay2yXKA%40mail.gmail.com
        
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjv0PC76S%3DZkg66V_KCPfrb3tAnryWGnA6TfQz-ay2yXKA%40mail.gmail.com?utm_medium=email&utm_source=footer>.

--
You received this message because you are subscribed to the Google 
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuZy4SeHwVCJ%2BGvawdGrAR6myzAJEwZEX6Jmymii6wxDg%40mail.gmail.com 
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuZy4SeHwVCJ%2BGvawdGrAR6myzAJEwZEX6Jmymii6wxDg%40mail.gmail.com?utm_medium=email&utm_source=footer>.

--
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/8fa0dca9-03eb-9882-b686-c053e5d2153e%40chromium.org.