Hi Carlos - that's correct. We've ended the experiments removing the HTTP header as we were unable to provide a sufficient alternative, resulting in breakage to important abuse and fraud prevention use cases.
Thanks, Peter On Sat, Sep 6, 2025 at 5:32 PM Carlos Solorzano <[email protected]> wrote: > Sorry if this is not the right place to ask but I'm curious what the > status of this is? I'm on WebView 141 and it is still sending the > X-Requested-With header. > > On Wednesday, April 19, 2023 at 2:55:38 PM UTC-5 Chris Harrelson wrote: > >> LGTM3 >> >> On Wed, Apr 12, 2023 at 1:14 AM Peter Birk Pakkenberg <[email protected]> >> wrote: >> >>> Thank you Mike and Yoav, >>> >>> Can I get a third LGTM to let me proceed to a 1% roll-out on stable? >>> >>> >>> Sincerely, >>> [image: Google Logo] >>> Peter Birk Pakkenberg >>> Software Engineer >>> [email protected] >>> >>> >>> On Fri, 7 Apr 2023 at 12:05, Yoav Weiss <[email protected]> wrote: >>> >>>> LGTM2 >>>> >>>> It seems like there's no way for us to know who relies on this without >>>> trying the removal and finding out. Slow and careful rollout makes sense in >>>> that case. >>>> >>>> On Wed, Apr 5, 2023 at 8:58 PM Mike Taylor <[email protected]> >>>> wrote: >>>> >>>>> Apologies Peter, this intent fell off the radar of our tooling. >>>>> >>>>> LGTM1 to proceed with the outlined plan. Thanks for creating a >>>>> deprecation trial and blogging about it. >>>>> On 4/5/23 1:07 PM, Peter Birk Pakkenberg wrote: >>>>> >>>>> Hello blink-dev@ >>>>> >>>>> Are there any objections or questions about starting the removal of >>>>> this header? >>>>> >>>>> If not, I would appreciate LGTM's to let me proceed with a 1% stable >>>>> roll-out in M112. >>>>> >>>>> Sincerely, >>>>> [image: Google Logo] >>>>> Peter Birk Pakkenberg >>>>> Software Engineer >>>>> [email protected] >>>>> >>>>> >>>>> On Thu, 30 Mar 2023 at 16:17, Peter Birk Pakkenberg < >>>>> [email protected]> wrote: >>>>> >>>>>> Hello blink-dev@ >>>>>> >>>>>> Are there any objections to start shipping this feature in M112? >>>>>> >>>>>> Sincerely, >>>>>> [image: Google Logo] >>>>>> Peter Birk Pakkenberg >>>>>> Software Engineer >>>>>> [email protected] >>>>>> >>>>>> >>>>>> On Wed, 15 Mar 2023 at 14:24, Peter Birk Pakkenberg < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi Mike, >>>>>>> >>>>>>> We plan to keep the setRequestedWithHeaderOriginAllowList API for >>>>>>> the duration of the XRW origin trial, but have not made any decisions >>>>>>> beyond that at this point in either direction. >>>>>>> >>>>>>> Sincerely, >>>>>>> [image: Google Logo] >>>>>>> Peter Birk Pakkenberg >>>>>>> Software Engineer >>>>>>> [email protected] >>>>>>> >>>>>>> >>>>>>> On Mon, 13 Mar 2023 at 14:41, Mike Taylor <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> On 3/13/23 9:11 AM, Peter Birk Pakkenberg wrote: >>>>>>>> >>>>>>>> Contact emails >>>>>>>> >>>>>>>> [email protected] >>>>>>>> >>>>>>>> Explainer >>>>>>>> >>>>>>>> Android Developer Blog post >>>>>>>> <https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html> >>>>>>>> >>>>>>>> Summary >>>>>>>> >>>>>>>> Removes the default X-Requested-With header from HTTP requests made >>>>>>>> by WebView. >>>>>>>> >>>>>>>> The X-Requested-With header is set by WebView, with the package >>>>>>>> name of the embedding apk as the value. >>>>>>>> >>>>>>>> This use of the header will be discontinued. >>>>>>>> >>>>>>>> Developers who rely on this header can sign up for a deprecation >>>>>>>> origin trial >>>>>>>> <https://developer.chrome.com/origintrials/#/view_trial/1390486384950640641> >>>>>>>> to continue to receive the header during the deprecation period. >>>>>>>> >>>>>>>> The deprecation origin trial will be extended until replacement >>>>>>>> APIs are available to address use cases of the header, as explained in >>>>>>>> this Android >>>>>>>> Developer Blog post >>>>>>>> <https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html> >>>>>>>> . >>>>>>>> >>>>>>>> The roll-out of this removal will be slower than usual. See >>>>>>>> “Estimated milestones” below. >>>>>>>> >>>>>>>> Blink component >>>>>>>> >>>>>>>> Mobile>WebView >>>>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> >>>>>>>> >>>>>>>> Search tags >>>>>>>> >>>>>>>> Headers <https://chromestatus.com/features#tags:Headers> >>>>>>>> >>>>>>>> TAG review >>>>>>>> >>>>>>>> TAG review status >>>>>>>> >>>>>>>> Not applicable >>>>>>>> >>>>>>>> Risks >>>>>>>> >>>>>>>> Interoperability and Compatibility >>>>>>>> >>>>>>>> Gecko: N/A >>>>>>>> >>>>>>>> WebKit: N/A >>>>>>>> >>>>>>>> Web developers: No signals >>>>>>>> >>>>>>>> Other signals: >>>>>>>> >>>>>>>> WebView application risks >>>>>>>> >>>>>>>> Does this intent deprecate or change behavior of existing APIs, >>>>>>>> such that it has potentially high risk for Android WebView-based >>>>>>>> applications? >>>>>>>> >>>>>>>> This feature removes a header sent by default by WebView. It should >>>>>>>> have no direct impact on applications using WebViews, but sites loaded >>>>>>>> in >>>>>>>> the WebView will no longer receive the X-Requested-With header unless >>>>>>>> the >>>>>>>> app explicitly allowlist the site >>>>>>>> <https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)> >>>>>>>> to receive the header or the site participates in the deprecation >>>>>>>> trial. >>>>>>>> >>>>>>>> Do you expect to deprecate setRequestedWithHeaderOriginAllowList at >>>>>>>> some future point? >>>>>>>> >>>>>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>>>>> Mac, Linux, Chrome OS, Android, and Android WebView)? >>>>>>>> >>>>>>>> No >>>>>>>> >>>>>>>> WebView-only feature being deprecated >>>>>>>> >>>>>>>> >>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>>>>> ? >>>>>>>> >>>>>>>> No - WebView is not covered by Web Platform Tests. >>>>>>>> >>>>>>>> Flag name >>>>>>>> >>>>>>>> WebViewXRequestedWithHeaderControl >>>>>>>> >>>>>>>> Requires code in //chrome? >>>>>>>> >>>>>>>> False >>>>>>>> >>>>>>>> Tracking bug >>>>>>>> >>>>>>>> https://crbug.com/960720 >>>>>>>> >>>>>>>> Estimated milestones >>>>>>>> >>>>>>>> - >>>>>>>> >>>>>>>> Roll-out in M111 beta (up to 50%) >>>>>>>> - >>>>>>>> >>>>>>>> Roll-out in M112 stable (up to 1%) >>>>>>>> - >>>>>>>> >>>>>>>> Roll-out to M113 stable (up to 5%) >>>>>>>> >>>>>>>> Further roll-out to be assessed based on developer input and >>>>>>>> feedback, considering that people might need time to adopt the OT. >>>>>>>> >>>>>>>> While we have announced the change through public developer >>>>>>>> communications and direct outreach to several partners, receiving >>>>>>>> mostly >>>>>>>> positive or neutral feedback, we expect that negative impacts, if any, >>>>>>>> will >>>>>>>> be more visible at 1% and 5% of stable traffic. We may want to allow >>>>>>>> more >>>>>>>> time to adopt the deprecation trial before continuing to ramp up. >>>>>>>> >>>>>>>> This looks like a reasonable, conservative rollout plan, thanks. >>>>>>>> >>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>> >>>>>>>> https://chromestatus.com/feature/5160086884843520 >>>>>>>> >>>>>>>> Links to previous Intent discussions >>>>>>>> >>>>>>>> Intent to Deprecate: >>>>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs >>>>>>>> >>>>>>>> >>>>>>>> This intent message was generated by Chrome Platform Status >>>>>>>> <https://chromestatus.com/>. >>>>>>>> >>>>>>>> >>>>>>>> Sincerely, >>>>>>>> [image: Google Logo] >>>>>>>> Peter Birk Pakkenberg >>>>>>>> Software Engineer >>>>>>>> [email protected] >>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "blink-dev" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com >>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/63373d78-6db4-e974-2451-24fad35903da%40chromium.org >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/63373d78-6db4-e974-2451-24fad35903da%40chromium.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuUBd_9qULnJyumjR7ye_DRQcv_oULzPJpx8TQ_aLWOWA%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuUBd_9qULnJyumjR7ye_DRQcv_oULzPJpx8TQ_aLWOWA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALt3x6k6miu46ZrY%3DRLcjec%2BQa70dVtaqZ8TNUSZZp_a%3DM75iA%40mail.gmail.com.
