Hello blink-dev@ Are there any objections or questions about starting the removal of this header?
If not, I would appreciate LGTM's to let me proceed with a 1% stable roll-out in M112. Sincerely, [image: Google Logo] Peter Birk Pakkenberg Software Engineer pb...@chromium.org On Thu, 30 Mar 2023 at 16:17, Peter Birk Pakkenberg <pb...@chromium.org> wrote: > Hello blink-dev@ > > Are there any objections to start shipping this feature in M112? > > Sincerely, > [image: Google Logo] > Peter Birk Pakkenberg > Software Engineer > pb...@chromium.org > > > On Wed, 15 Mar 2023 at 14:24, Peter Birk Pakkenberg <pb...@chromium.org> > wrote: > >> Hi Mike, >> >> We plan to keep the setRequestedWithHeaderOriginAllowList API for the >> duration of the XRW origin trial, but have not made any decisions beyond >> that at this point in either direction. >> >> Sincerely, >> [image: Google Logo] >> Peter Birk Pakkenberg >> Software Engineer >> pb...@chromium.org >> >> >> On Mon, 13 Mar 2023 at 14:41, Mike Taylor <miketa...@chromium.org> wrote: >> >>> On 3/13/23 9:11 AM, Peter Birk Pakkenberg wrote: >>> >>> Contact emails >>> >>> pb...@chromium.org >>> >>> Explainer >>> >>> Android Developer Blog post >>> <https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html> >>> >>> Summary >>> >>> Removes the default X-Requested-With header from HTTP requests made by >>> WebView. >>> >>> The X-Requested-With header is set by WebView, with the package name of >>> the embedding apk as the value. >>> >>> This use of the header will be discontinued. >>> >>> Developers who rely on this header can sign up for a deprecation origin >>> trial >>> <https://developer.chrome.com/origintrials/#/view_trial/1390486384950640641> >>> to continue to receive the header during the deprecation period. >>> >>> The deprecation origin trial will be extended until replacement APIs are >>> available to address use cases of the header, as explained in this Android >>> Developer Blog post >>> <https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html> >>> . >>> >>> The roll-out of this removal will be slower than usual. See “Estimated >>> milestones” below. >>> >>> Blink component >>> >>> Mobile>WebView >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> >>> >>> Search tags >>> >>> Headers <https://chromestatus.com/features#tags:Headers> >>> >>> TAG review >>> >>> TAG review status >>> >>> Not applicable >>> >>> Risks >>> >>> Interoperability and Compatibility >>> >>> Gecko: N/A >>> >>> WebKit: N/A >>> >>> Web developers: No signals >>> >>> Other signals: >>> >>> WebView application risks >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> >>> This feature removes a header sent by default by WebView. It should have >>> no direct impact on applications using WebViews, but sites loaded in the >>> WebView will no longer receive the X-Requested-With header unless the app >>> explicitly >>> allowlist the site >>> <https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)> >>> to receive the header or the site participates in the deprecation trial. >>> >>> Do you expect to deprecate setRequestedWithHeaderOriginAllowList at some >>> future point? >>> >>> Will this feature be supported on all six Blink platforms (Windows, Mac, >>> Linux, Chrome OS, Android, and Android WebView)? >>> >>> No >>> >>> WebView-only feature being deprecated >>> >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ? >>> >>> No - WebView is not covered by Web Platform Tests. >>> >>> Flag name >>> >>> WebViewXRequestedWithHeaderControl >>> >>> Requires code in //chrome? >>> >>> False >>> >>> Tracking bug >>> >>> https://crbug.com/960720 >>> >>> Estimated milestones >>> >>> - >>> >>> Roll-out in M111 beta (up to 50%) >>> - >>> >>> Roll-out in M112 stable (up to 1%) >>> - >>> >>> Roll-out to M113 stable (up to 5%) >>> >>> Further roll-out to be assessed based on developer input and feedback, >>> considering that people might need time to adopt the OT. >>> >>> While we have announced the change through public developer >>> communications and direct outreach to several partners, receiving mostly >>> positive or neutral feedback, we expect that negative impacts, if any, will >>> be more visible at 1% and 5% of stable traffic. We may want to allow more >>> time to adopt the deprecation trial before continuing to ramp up. >>> >>> This looks like a reasonable, conservative rollout plan, thanks. >>> >>> Link to entry on the Chrome Platform Status >>> >>> https://chromestatus.com/feature/5160086884843520 >>> >>> Links to previous Intent discussions >>> >>> Intent to Deprecate: >>> https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs >>> >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com/>. >>> >>> >>> Sincerely, >>> [image: Google Logo] >>> Peter Birk Pakkenberg >>> Software Engineer >>> pb...@chromium.org >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+unsubscr...@chromium.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuy6bcL6vW9VHuMELYKQ8K9Y9TkZBkBzfxBoRmUR_HbEQ%40mail.gmail.com.
