On 3/13/23 9:11 AM, Peter Birk Pakkenberg wrote:
Contact emails
pb...@chromium.org
Explainer
Android Developer Blog post
<https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html>
Summary
Removes the default X-Requested-With header from HTTP requests made by
WebView.
The X-Requested-With header is set by WebView, with the package name
of the embedding apk as the value.
This use of the header will be discontinued.
Developers who rely on this header can sign up for a deprecation
origin trial
<https://developer.chrome.com/origintrials/#/view_trial/1390486384950640641>to
continue to receive the header during the deprecation period.
The deprecation origin trial will be extended until replacement APIs
are available to address use cases of the header, as explained in this
Android Developer Blog post
<https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html>.
The roll-out of this removal will be slower than usual. See “Estimated
milestones” below.
Blink component
Mobile>WebView
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView>
Search tags
Headers <https://chromestatus.com/features#tags:Headers>
TAG review
TAG review status
Not applicable
Risks
Interoperability and Compatibility
Gecko: N/A
WebKit: N/A
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such
that it has potentially high risk for Android WebView-based applications?
This feature removes a header sent by default by WebView. It should
have no direct impact on applications using WebViews, but sites loaded
in the WebView will no longer receive the X-Requested-With header
unless the app explicitly allowlist the site
<https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)>to
receive the header or the site participates in the deprecation trial.
Do you expect to deprecate setRequestedWithHeaderOriginAllowList at some
future point?
Will this feature be supported on all six Blink platforms
(Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
No
WebView-only feature being deprecated
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
No - WebView is not covered by Web Platform Tests.
Flag name
WebViewXRequestedWithHeaderControl
Requires code in //chrome?
False
Tracking bug
https://crbug.com/960720 <https://crbug.com/960720>
Estimated milestones
*
Roll-out in M111 beta (up to 50%)
*
Roll-out in M112 stable (up to 1%)
*
Roll-out to M113 stable (up to 5%)
Further roll-out to be assessed based on developer input and
feedback, considering that people might need time to adopt the OT.
While we have announced the change through public developer
communications and direct outreach to several partners, receiving
mostly positive or neutral feedback, we expect that negative impacts,
if any, will be more visible at 1% and 5% of stable traffic. We may
want to allow more time to adopt the deprecation trial before
continuing to ramp up.
This looks like a reasonable, conservative rollout plan, thanks.
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5160086884843520
<https://chromestatus.com/feature/5160086884843520>
Links to previous Intent discussions
Intent to Deprecate:
https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs
<https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs>
This intent message was generated by Chrome Platform Status
<https://chromestatus.com/>.
Sincerely,
Google Logo
Peter Birk Pakkenberg
Software Engineer
pb...@chromium.org
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/33fe0c2f-56b3-c856-3792-0e70d0ab7a09%40chromium.org.
