To be clear, this thread is about *deprecating the header*, not about adding the header or changing its behaviour.
Thanks, Peter On Fri, Apr 12, 2024 at 4:06 PM Jeeva Kumar <[email protected]> wrote: > Any one can fake the X-Requested-With header by doing the following, I > could emulate a different app package name, so what's the point of this? > > ```kotlin > @HiltAndroidApp > class BrowserApp: Application() { > override fun getPackageName(): String { > try { > val stackTrace = Thread.currentThread().stackTrace > for (element in stackTrace) { > if ("org.chromium.base.BuildInfo".equals(element.className, ignoreCase = > true)) { > Log.d("hello", "I am here... ${element.className} - ${element.methodName}" > ) > if ("getPackageName".equals(element.methodName, ignoreCase = true)) { > val customPackageName = "com.tencent.qq" > return customPackageName > } > break > } > } > } catch (_: Exception) { } > > return super.getPackageName() > } > } > ``` > > On Saturday 16 March 2024 at 23:54:42 UTC+5:30 David St. Pierre wrote: > >> Late to the discussion, but completely agree. Features like this keep >> appearing in the name of privacy, but in reality have very little to do >> with privacy, and in effect make it easier and easier to commit fraud. >> >> On Thursday, March 7, 2024 at 10:48:35 AM UTC-5 utor wrote: >> >>> This effectively allowing all the malicious app devs to steal content >>> from other website, I fail to understand why people want this to be removed >>> unless they are planning to steal content from websites, if they are not >>> planning to do anything to hurt the website owners there is no fear of >>> exposing this header at all. >>> >>> For APK on google playstore we can report the offending app, but what >>> about third-party APKs? >>> >>> It is a very bad decision to remove this header for WebView. >>> >>> Still, thank you for making way for the thiefs. >>> >>> On Friday 5 January 2024 at 04:23:08 UTC+8 Aman Bansal wrote: >>> >>>> That header is still sent even after i updated everything to the latest >>>> version. >>>> Android System Webview: 122.0.6181.0 >>>> Chrome: 122.0.6181.0 >>>> >>>> I am totally confused why is it still sending the `X-Request-With` if >>>> it is already depreciated ? >>>> >>>> >>>> [image: Screenshot 2024-01-05 at 1.50.17 AM.png][image: Screenshot >>>> 2024-01-05 at 1.48.40 AM.png] >>>> >>>> On Monday, December 19, 2022 at 3:48:35 PM UTC+5:30 Peter Birk >>>> Pakkenberg wrote: >>>> >>>>> Contact emails >>>>> >>>>> [email protected] >>>>> >>>>> Explainer >>>>> >>>>> None >>>>> >>>>> Specification >>>>> >>>>> Summary >>>>> >>>>> Removes the default X-Requested-With header from HTTP requests made by >>>>> WebView. >>>>> >>>>> The X-Requested-With header is set by WebView, with the package name >>>>> of the embedding apk as the value. >>>>> >>>>> This use of the header will be discontinued. >>>>> >>>>> >>>>> Blink component >>>>> >>>>> Mobile>WebView >>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> >>>>> >>>>> Motivation >>>>> >>>>> The header as implemented in WebView does not follow the principle of >>>>> meaningful consent of all parties exchanging the information[1]. Developer >>>>> can utilize unreliable and undocumented methods to opt-out. >>>>> >>>>> Users are not provided with an opt-out option. The content owner is >>>>> the only party with full control over the information provided in the >>>>> header. >>>>> >>>>> APK name is also an abundant source of passive fingerprinting >>>>> information about the users. It contains specific information about the >>>>> browsing context. When the application is not omnipresent (i.e. has a >>>>> relatively small user base), together with other information (e.g. approx. >>>>> geolocation based on an IP address), it can provide a fairly unique >>>>> identifier of a user. >>>>> >>>>> On top of those privacy issues, the header is undocumented, used in >>>>> non-WebView context for a completely different purpose, notoriously >>>>> misunderstood, and causing security issues since its introduction. >>>>> >>>>> [1]: https://w3ctag.github.io/design-principles/#consent >>>>> >>>>> >>>>> >>>>> Initial public proposal >>>>> >>>>> Search tags >>>>> >>>>> Headers <https://chromestatus.com/features#tags:Headers> >>>>> >>>>> TAG review >>>>> >>>>> TAG review status >>>>> >>>>> Not applicable >>>>> >>>>> Risks >>>>> >>>>> Interoperability and Compatibility >>>>> >>>>> Gecko: N/A >>>>> >>>>> WebKit: N/A >>>>> >>>>> Web developers: No signals >>>>> >>>>> Other signals: >>>>> >>>>> WebView application risks >>>>> >>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>> that it has potentially high risk for Android WebView-based applications? >>>>> >>>>> This feature removes a header sent by default by WebView. It should >>>>> have no direct impact on applications using WebViews, but sites loaded in >>>>> the WebView will no longer receive the X-Requested-With header unless the >>>>> app explicitly allowlist the site[1] to receive the header or the site >>>>> participates in the deprecation trial. >>>>> >>>>> [1]: >>>>> https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E) >>>>> >>>>> >>>>> Debuggability >>>>> >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>> ? >>>>> >>>>> No >>>>> >>>>> Flag name >>>>> >>>>> WebViewXRequestedWithHeaderControl >>>>> >>>>> Requires code in //chrome? >>>>> >>>>> False >>>>> >>>>> Tracking bug >>>>> >>>>> https://crbug.com/960720 >>>>> >>>>> Launch bug >>>>> >>>>> https://launch.corp.google.com/launch/4136516 >>>>> >>>>> Estimated milestones >>>>> >>>>> DevTrial on Android >>>>> >>>>> 109 >>>>> >>>>> OriginTrial webView first >>>>> >>>>> 110 >>>>> >>>>> >>>>> >>>>> Link to entry on the Chrome Platform Status >>>>> >>>>> https://chromestatus.com/feature/5160086884843520 >>>>> >>>>> This intent message was generated by Chrome Platform Status >>>>> <https://chromestatus.com/>. >>>>> >>>>> >>>>> Sincerely, >>>>> [image: Google Logo] >>>>> Peter Birk Pakkenberg >>>>> Software Engineer >>>>> [email protected] >>>>> +447469379358 <+44%207469%20379358> >>>>> >>>> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1457019e-f64d-431c-b0c4-545b1556236en%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1457019e-f64d-431c-b0c4-545b1556236en%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALt3x6kzqxBbxkSSUAvzsMH4CnyMJoN9iTnEPPZJeaQjsrzWbA%40mail.gmail.com.
