Hi Mike, We plan to keep the setRequestedWithHeaderOriginAllowList API for the duration of the XRW origin trial, but have not made any decisions beyond that at this point in either direction.
Sincerely, [image: Google Logo] Peter Birk Pakkenberg Software Engineer pb...@chromium.org On Mon, 13 Mar 2023 at 14:41, Mike Taylor <miketa...@chromium.org> wrote: > On 3/13/23 9:11 AM, Peter Birk Pakkenberg wrote: > > Contact emails > > pb...@chromium.org > > Explainer > > Android Developer Blog post > <https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html> > > Summary > > Removes the default X-Requested-With header from HTTP requests made by > WebView. > > The X-Requested-With header is set by WebView, with the package name of > the embedding apk as the value. > > This use of the header will be discontinued. > > Developers who rely on this header can sign up for a deprecation origin > trial > <https://developer.chrome.com/origintrials/#/view_trial/1390486384950640641> > to continue to receive the header during the deprecation period. > > The deprecation origin trial will be extended until replacement APIs are > available to address use cases of the header, as explained in this Android > Developer Blog post > <https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html> > . > > The roll-out of this removal will be slower than usual. See “Estimated > milestones” below. > > Blink component > > Mobile>WebView > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> > > Search tags > > Headers <https://chromestatus.com/features#tags:Headers> > > TAG review > > TAG review status > > Not applicable > > Risks > > Interoperability and Compatibility > > Gecko: N/A > > WebKit: N/A > > Web developers: No signals > > Other signals: > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > This feature removes a header sent by default by WebView. It should have > no direct impact on applications using WebViews, but sites loaded in the > WebView will no longer receive the X-Requested-With header unless the app > explicitly > allowlist the site > <https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)> > to receive the header or the site participates in the deprecation trial. > > Do you expect to deprecate setRequestedWithHeaderOriginAllowList at some > future point? > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, Chrome OS, Android, and Android WebView)? > > No > > WebView-only feature being deprecated > > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? > > No - WebView is not covered by Web Platform Tests. > > Flag name > > WebViewXRequestedWithHeaderControl > > Requires code in //chrome? > > False > > Tracking bug > > https://crbug.com/960720 > > Estimated milestones > > - > > Roll-out in M111 beta (up to 50%) > - > > Roll-out in M112 stable (up to 1%) > - > > Roll-out to M113 stable (up to 5%) > > Further roll-out to be assessed based on developer input and feedback, > considering that people might need time to adopt the OT. > > While we have announced the change through public developer communications > and direct outreach to several partners, receiving mostly positive or > neutral feedback, we expect that negative impacts, if any, will be more > visible at 1% and 5% of stable traffic. We may want to allow more time to > adopt the deprecation trial before continuing to ramp up. > > This looks like a reasonable, conservative rollout plan, thanks. > > Link to entry on the Chrome Platform Status > > https://chromestatus.com/feature/5160086884843520 > > Links to previous Intent discussions > > Intent to Deprecate: > https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs > > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > > > Sincerely, > [image: Google Logo] > Peter Birk Pakkenberg > Software Engineer > pb...@chromium.org > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtMDah8CquME3CtP6BujgFhtq6qRave%2BMJWNXPNLp5zUA%40mail.gmail.com.