Hello blink-dev@ Are there any objections to start shipping this feature in M112?
Sincerely, [image: Google Logo] Peter Birk Pakkenberg Software Engineer pb...@chromium.org On Wed, 15 Mar 2023 at 14:24, Peter Birk Pakkenberg <pb...@chromium.org> wrote: > Hi Mike, > > We plan to keep the setRequestedWithHeaderOriginAllowList API for the > duration of the XRW origin trial, but have not made any decisions beyond > that at this point in either direction. > > Sincerely, > [image: Google Logo] > Peter Birk Pakkenberg > Software Engineer > pb...@chromium.org > > > On Mon, 13 Mar 2023 at 14:41, Mike Taylor <miketa...@chromium.org> wrote: > >> On 3/13/23 9:11 AM, Peter Birk Pakkenberg wrote: >> >> Contact emails >> >> pb...@chromium.org >> >> Explainer >> >> Android Developer Blog post >> <https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html> >> >> Summary >> >> Removes the default X-Requested-With header from HTTP requests made by >> WebView. >> >> The X-Requested-With header is set by WebView, with the package name of >> the embedding apk as the value. >> >> This use of the header will be discontinued. >> >> Developers who rely on this header can sign up for a deprecation origin >> trial >> <https://developer.chrome.com/origintrials/#/view_trial/1390486384950640641> >> to continue to receive the header during the deprecation period. >> >> The deprecation origin trial will be extended until replacement APIs are >> available to address use cases of the header, as explained in this Android >> Developer Blog post >> <https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html> >> . >> >> The roll-out of this removal will be slower than usual. See “Estimated >> milestones” below. >> >> Blink component >> >> Mobile>WebView >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> >> >> Search tags >> >> Headers <https://chromestatus.com/features#tags:Headers> >> >> TAG review >> >> TAG review status >> >> Not applicable >> >> Risks >> >> Interoperability and Compatibility >> >> Gecko: N/A >> >> WebKit: N/A >> >> Web developers: No signals >> >> Other signals: >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> This feature removes a header sent by default by WebView. It should have >> no direct impact on applications using WebViews, but sites loaded in the >> WebView will no longer receive the X-Requested-With header unless the app >> explicitly >> allowlist the site >> <https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)> >> to receive the header or the site participates in the deprecation trial. >> >> Do you expect to deprecate setRequestedWithHeaderOriginAllowList at some >> future point? >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, Chrome OS, Android, and Android WebView)? >> >> No >> >> WebView-only feature being deprecated >> >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? >> >> No - WebView is not covered by Web Platform Tests. >> >> Flag name >> >> WebViewXRequestedWithHeaderControl >> >> Requires code in //chrome? >> >> False >> >> Tracking bug >> >> https://crbug.com/960720 >> >> Estimated milestones >> >> - >> >> Roll-out in M111 beta (up to 50%) >> - >> >> Roll-out in M112 stable (up to 1%) >> - >> >> Roll-out to M113 stable (up to 5%) >> >> Further roll-out to be assessed based on developer input and feedback, >> considering that people might need time to adopt the OT. >> >> While we have announced the change through public developer >> communications and direct outreach to several partners, receiving mostly >> positive or neutral feedback, we expect that negative impacts, if any, will >> be more visible at 1% and 5% of stable traffic. We may want to allow more >> time to adopt the deprecation trial before continuing to ramp up. >> >> This looks like a reasonable, conservative rollout plan, thanks. >> >> Link to entry on the Chrome Platform Status >> >> https://chromestatus.com/feature/5160086884843520 >> >> Links to previous Intent discussions >> >> Intent to Deprecate: >> https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs >> >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> >> >> Sincerely, >> [image: Google Logo] >> Peter Birk Pakkenberg >> Software Engineer >> pb...@chromium.org >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjseJFAPGM0k0VW1LgCup90GT29zo1gszwuoZ4yeYvrn9w%40mail.gmail.com.
