There are various use cases, common among all of them is that WebView usage isn't always through SDKs - it's entirely valid for an app to load arbitrary Web content in a WebView, which in turn might include ads, or ask the user to sign in, make a payment, and so on.
Thanks, Peter On Thu, Oct 9, 2025 at 3:53 PM Carlos Solorzano <[email protected]> wrote: > I'm assuming you are mostly talking about fraud on ads that use the > WebView? Feels like that should be controlled at the ad network level, they > control their own WebView's so they can force the header to be sent. > > Also as far as I know, iOS doesn't send this header, so I'm not sure why > Android needs it? > > On Monday, September 8, 2025 at 8:52:30 AM UTC-5 Carlos Solorzano wrote: > >> Sorry if this is not the right place to ask but I'm curious what the >> status of this is? I'm on WebView 141 and it is still sending the >> X-Requested-With header. >> >> On Wednesday, April 19, 2023 at 2:55:38 PM UTC-5 Chris Harrelson wrote: >> >>> LGTM3 >>> >>> On Wed, Apr 12, 2023 at 1:14 AM Peter Birk Pakkenberg < >>> [email protected]> wrote: >>> >>>> Thank you Mike and Yoav, >>>> >>>> Can I get a third LGTM to let me proceed to a 1% roll-out on stable? >>>> >>>> >>>> Sincerely, >>>> [image: Google Logo] >>>> Peter Birk Pakkenberg >>>> Software Engineer >>>> [email protected] >>>> >>>> >>>> On Fri, 7 Apr 2023 at 12:05, Yoav Weiss <[email protected]> wrote: >>>> >>>>> LGTM2 >>>>> >>>>> It seems like there's no way for us to know who relies on this without >>>>> trying the removal and finding out. Slow and careful rollout makes sense >>>>> in >>>>> that case. >>>>> >>>>> On Wed, Apr 5, 2023 at 8:58 PM Mike Taylor <[email protected]> >>>>> wrote: >>>>> >>>>>> Apologies Peter, this intent fell off the radar of our tooling. >>>>>> >>>>>> LGTM1 to proceed with the outlined plan. Thanks for creating a >>>>>> deprecation trial and blogging about it. >>>>>> On 4/5/23 1:07 PM, Peter Birk Pakkenberg wrote: >>>>>> >>>>>> Hello blink-dev@ >>>>>> >>>>>> Are there any objections or questions about starting the removal of >>>>>> this header? >>>>>> >>>>>> If not, I would appreciate LGTM's to let me proceed with a 1% stable >>>>>> roll-out in M112. >>>>>> >>>>>> Sincerely, >>>>>> [image: Google Logo] >>>>>> Peter Birk Pakkenberg >>>>>> Software Engineer >>>>>> [email protected] >>>>>> >>>>>> >>>>>> On Thu, 30 Mar 2023 at 16:17, Peter Birk Pakkenberg < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hello blink-dev@ >>>>>>> >>>>>>> Are there any objections to start shipping this feature in M112? >>>>>>> >>>>>>> Sincerely, >>>>>>> [image: Google Logo] >>>>>>> Peter Birk Pakkenberg >>>>>>> Software Engineer >>>>>>> [email protected] >>>>>>> >>>>>>> >>>>>>> On Wed, 15 Mar 2023 at 14:24, Peter Birk Pakkenberg < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi Mike, >>>>>>>> >>>>>>>> We plan to keep the setRequestedWithHeaderOriginAllowList API for >>>>>>>> the duration of the XRW origin trial, but have not made any decisions >>>>>>>> beyond that at this point in either direction. >>>>>>>> >>>>>>>> Sincerely, >>>>>>>> [image: Google Logo] >>>>>>>> Peter Birk Pakkenberg >>>>>>>> Software Engineer >>>>>>>> [email protected] >>>>>>>> >>>>>>>> >>>>>>>> On Mon, 13 Mar 2023 at 14:41, Mike Taylor <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> On 3/13/23 9:11 AM, Peter Birk Pakkenberg wrote: >>>>>>>>> >>>>>>>>> Contact emails >>>>>>>>> >>>>>>>>> [email protected] >>>>>>>>> >>>>>>>>> Explainer >>>>>>>>> >>>>>>>>> Android Developer Blog post >>>>>>>>> <https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html> >>>>>>>>> >>>>>>>>> Summary >>>>>>>>> >>>>>>>>> Removes the default X-Requested-With header from HTTP requests >>>>>>>>> made by WebView. >>>>>>>>> >>>>>>>>> The X-Requested-With header is set by WebView, with the package >>>>>>>>> name of the embedding apk as the value. >>>>>>>>> >>>>>>>>> This use of the header will be discontinued. >>>>>>>>> >>>>>>>>> Developers who rely on this header can sign up for a deprecation >>>>>>>>> origin trial >>>>>>>>> <https://developer.chrome.com/origintrials/#/view_trial/1390486384950640641> >>>>>>>>> to continue to receive the header during the deprecation period. >>>>>>>>> >>>>>>>>> The deprecation origin trial will be extended until replacement >>>>>>>>> APIs are available to address use cases of the header, as explained >>>>>>>>> in this Android >>>>>>>>> Developer Blog post >>>>>>>>> <https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html> >>>>>>>>> . >>>>>>>>> >>>>>>>>> The roll-out of this removal will be slower than usual. See >>>>>>>>> “Estimated milestones” below. >>>>>>>>> >>>>>>>>> Blink component >>>>>>>>> >>>>>>>>> Mobile>WebView >>>>>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> >>>>>>>>> >>>>>>>>> Search tags >>>>>>>>> >>>>>>>>> Headers <https://chromestatus.com/features#tags:Headers> >>>>>>>>> >>>>>>>>> TAG review >>>>>>>>> >>>>>>>>> TAG review status >>>>>>>>> >>>>>>>>> Not applicable >>>>>>>>> >>>>>>>>> Risks >>>>>>>>> >>>>>>>>> Interoperability and Compatibility >>>>>>>>> >>>>>>>>> Gecko: N/A >>>>>>>>> >>>>>>>>> WebKit: N/A >>>>>>>>> >>>>>>>>> Web developers: No signals >>>>>>>>> >>>>>>>>> Other signals: >>>>>>>>> >>>>>>>>> WebView application risks >>>>>>>>> >>>>>>>>> Does this intent deprecate or change behavior of existing APIs, >>>>>>>>> such that it has potentially high risk for Android WebView-based >>>>>>>>> applications? >>>>>>>>> >>>>>>>>> This feature removes a header sent by default by WebView. It >>>>>>>>> should have no direct impact on applications using WebViews, but sites >>>>>>>>> loaded in the WebView will no longer receive the X-Requested-With >>>>>>>>> header >>>>>>>>> unless the app explicitly allowlist the site >>>>>>>>> <https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)> >>>>>>>>> to receive the header or the site participates in the deprecation >>>>>>>>> trial. >>>>>>>>> >>>>>>>>> Do you expect to deprecate setRequestedWithHeaderOriginAllowList >>>>>>>>> at some future point? >>>>>>>>> >>>>>>>>> Will this feature be supported on all six Blink platforms >>>>>>>>> (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? >>>>>>>>> >>>>>>>>> No >>>>>>>>> >>>>>>>>> WebView-only feature being deprecated >>>>>>>>> >>>>>>>>> >>>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>>>>>> ? >>>>>>>>> >>>>>>>>> No - WebView is not covered by Web Platform Tests. >>>>>>>>> >>>>>>>>> Flag name >>>>>>>>> >>>>>>>>> WebViewXRequestedWithHeaderControl >>>>>>>>> >>>>>>>>> Requires code in //chrome? >>>>>>>>> >>>>>>>>> False >>>>>>>>> >>>>>>>>> Tracking bug >>>>>>>>> >>>>>>>>> https://crbug.com/960720 >>>>>>>>> >>>>>>>>> Estimated milestones >>>>>>>>> >>>>>>>>> - >>>>>>>>> >>>>>>>>> Roll-out in M111 beta (up to 50%) >>>>>>>>> - >>>>>>>>> >>>>>>>>> Roll-out in M112 stable (up to 1%) >>>>>>>>> - >>>>>>>>> >>>>>>>>> Roll-out to M113 stable (up to 5%) >>>>>>>>> >>>>>>>>> Further roll-out to be assessed based on developer input and >>>>>>>>> feedback, considering that people might need time to adopt the OT. >>>>>>>>> >>>>>>>>> While we have announced the change through public developer >>>>>>>>> communications and direct outreach to several partners, receiving >>>>>>>>> mostly >>>>>>>>> positive or neutral feedback, we expect that negative impacts, if >>>>>>>>> any, will >>>>>>>>> be more visible at 1% and 5% of stable traffic. We may want to allow >>>>>>>>> more >>>>>>>>> time to adopt the deprecation trial before continuing to ramp up. >>>>>>>>> >>>>>>>>> This looks like a reasonable, conservative rollout plan, thanks. >>>>>>>>> >>>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>>> >>>>>>>>> https://chromestatus.com/feature/5160086884843520 >>>>>>>>> >>>>>>>>> Links to previous Intent discussions >>>>>>>>> >>>>>>>>> Intent to Deprecate: >>>>>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs >>>>>>>>> >>>>>>>>> >>>>>>>>> This intent message was generated by Chrome Platform Status >>>>>>>>> <https://chromestatus.com/>. >>>>>>>>> >>>>>>>>> >>>>>>>>> Sincerely, >>>>>>>>> [image: Google Logo] >>>>>>>>> Peter Birk Pakkenberg >>>>>>>>> Software Engineer >>>>>>>>> [email protected] >>>>>>>>> -- >>>>>>>>> You received this message because you are subscribed to the Google >>>>>>>>> Groups "blink-dev" group. >>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>> send an email to [email protected]. >>>>>>>>> To view this discussion on the web visit >>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com >>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>> . >>>>>>>>> >>>>>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "blink-dev" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/63373d78-6db4-e974-2451-24fad35903da%40chromium.org >>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/63373d78-6db4-e974-2451-24fad35903da%40chromium.org?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuUBd_9qULnJyumjR7ye_DRQcv_oULzPJpx8TQ_aLWOWA%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuUBd_9qULnJyumjR7ye_DRQcv_oULzPJpx8TQ_aLWOWA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALt3x6nQHY_FiwKdu857avqF4iCXGDnah63T6nY3mitJKmVhHQ%40mail.gmail.com.
