How does iOS solve this issue without that header? On Thursday, October 9, 2025 at 10:51:58 AM UTC-5 Peter Beverloo wrote:
> There are various use cases, common among all of them is that WebView > usage isn't always through SDKs - it's entirely valid for an app to load > arbitrary Web content in a WebView, which in turn might include ads, or ask > the user to sign in, make a payment, and so on. > > Thanks, > Peter > > On Thu, Oct 9, 2025 at 3:53 PM Carlos Solorzano <[email protected]> > wrote: > >> I'm assuming you are mostly talking about fraud on ads that use the >> WebView? Feels like that should be controlled at the ad network level, they >> control their own WebView's so they can force the header to be sent. >> >> Also as far as I know, iOS doesn't send this header, so I'm not sure why >> Android needs it? >> >> On Monday, September 8, 2025 at 8:52:30 AM UTC-5 Carlos Solorzano wrote: >> >>> Sorry if this is not the right place to ask but I'm curious what the >>> status of this is? I'm on WebView 141 and it is still sending the >>> X-Requested-With header. >>> >>> On Wednesday, April 19, 2023 at 2:55:38 PM UTC-5 Chris Harrelson wrote: >>> >>>> LGTM3 >>>> >>>> On Wed, Apr 12, 2023 at 1:14 AM Peter Birk Pakkenberg < >>>> [email protected]> wrote: >>>> >>>>> Thank you Mike and Yoav, >>>>> >>>>> Can I get a third LGTM to let me proceed to a 1% roll-out on stable? >>>>> >>>>> >>>>> Sincerely, >>>>> [image: Google Logo] >>>>> Peter Birk Pakkenberg >>>>> Software Engineer >>>>> [email protected] >>>>> >>>>> >>>>> On Fri, 7 Apr 2023 at 12:05, Yoav Weiss <[email protected]> wrote: >>>>> >>>>>> LGTM2 >>>>>> >>>>>> It seems like there's no way for us to know who relies on this >>>>>> without trying the removal and finding out. Slow and careful rollout >>>>>> makes >>>>>> sense in that case. >>>>>> >>>>>> On Wed, Apr 5, 2023 at 8:58 PM Mike Taylor <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Apologies Peter, this intent fell off the radar of our tooling. >>>>>>> >>>>>>> LGTM1 to proceed with the outlined plan. Thanks for creating a >>>>>>> deprecation trial and blogging about it. >>>>>>> On 4/5/23 1:07 PM, Peter Birk Pakkenberg wrote: >>>>>>> >>>>>>> Hello blink-dev@ >>>>>>> >>>>>>> Are there any objections or questions about starting the removal of >>>>>>> this header? >>>>>>> >>>>>>> If not, I would appreciate LGTM's to let me proceed with a 1% stable >>>>>>> roll-out in M112. >>>>>>> >>>>>>> Sincerely, >>>>>>> [image: Google Logo] >>>>>>> Peter Birk Pakkenberg >>>>>>> Software Engineer >>>>>>> [email protected] >>>>>>> >>>>>>> >>>>>>> On Thu, 30 Mar 2023 at 16:17, Peter Birk Pakkenberg < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hello blink-dev@ >>>>>>>> >>>>>>>> Are there any objections to start shipping this feature in M112? >>>>>>>> >>>>>>>> Sincerely, >>>>>>>> [image: Google Logo] >>>>>>>> Peter Birk Pakkenberg >>>>>>>> Software Engineer >>>>>>>> [email protected] >>>>>>>> >>>>>>>> >>>>>>>> On Wed, 15 Mar 2023 at 14:24, Peter Birk Pakkenberg < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi Mike, >>>>>>>>> >>>>>>>>> We plan to keep the setRequestedWithHeaderOriginAllowList API for >>>>>>>>> the duration of the XRW origin trial, but have not made any decisions >>>>>>>>> beyond that at this point in either direction. >>>>>>>>> >>>>>>>>> Sincerely, >>>>>>>>> [image: Google Logo] >>>>>>>>> Peter Birk Pakkenberg >>>>>>>>> Software Engineer >>>>>>>>> [email protected] >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, 13 Mar 2023 at 14:41, Mike Taylor <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> On 3/13/23 9:11 AM, Peter Birk Pakkenberg wrote: >>>>>>>>>> >>>>>>>>>> Contact emails >>>>>>>>>> >>>>>>>>>> [email protected] >>>>>>>>>> >>>>>>>>>> Explainer >>>>>>>>>> >>>>>>>>>> Android Developer Blog post >>>>>>>>>> <https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html> >>>>>>>>>> >>>>>>>>>> Summary >>>>>>>>>> >>>>>>>>>> Removes the default X-Requested-With header from HTTP requests >>>>>>>>>> made by WebView. >>>>>>>>>> >>>>>>>>>> The X-Requested-With header is set by WebView, with the package >>>>>>>>>> name of the embedding apk as the value. >>>>>>>>>> >>>>>>>>>> This use of the header will be discontinued. >>>>>>>>>> >>>>>>>>>> Developers who rely on this header can sign up for a deprecation >>>>>>>>>> origin trial >>>>>>>>>> <https://developer.chrome.com/origintrials/#/view_trial/1390486384950640641> >>>>>>>>>> >>>>>>>>>> to continue to receive the header during the deprecation period. >>>>>>>>>> >>>>>>>>>> The deprecation origin trial will be extended until replacement >>>>>>>>>> APIs are available to address use cases of the header, as explained >>>>>>>>>> in this Android >>>>>>>>>> Developer Blog post >>>>>>>>>> <https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html> >>>>>>>>>> . >>>>>>>>>> >>>>>>>>>> The roll-out of this removal will be slower than usual. See >>>>>>>>>> “Estimated milestones” below. >>>>>>>>>> >>>>>>>>>> Blink component >>>>>>>>>> >>>>>>>>>> Mobile>WebView >>>>>>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> >>>>>>>>>> >>>>>>>>>> Search tags >>>>>>>>>> >>>>>>>>>> Headers <https://chromestatus.com/features#tags:Headers> >>>>>>>>>> >>>>>>>>>> TAG review >>>>>>>>>> >>>>>>>>>> TAG review status >>>>>>>>>> >>>>>>>>>> Not applicable >>>>>>>>>> >>>>>>>>>> Risks >>>>>>>>>> >>>>>>>>>> Interoperability and Compatibility >>>>>>>>>> >>>>>>>>>> Gecko: N/A >>>>>>>>>> >>>>>>>>>> WebKit: N/A >>>>>>>>>> >>>>>>>>>> Web developers: No signals >>>>>>>>>> >>>>>>>>>> Other signals: >>>>>>>>>> >>>>>>>>>> WebView application risks >>>>>>>>>> >>>>>>>>>> Does this intent deprecate or change behavior of existing APIs, >>>>>>>>>> such that it has potentially high risk for Android WebView-based >>>>>>>>>> applications? >>>>>>>>>> >>>>>>>>>> This feature removes a header sent by default by WebView. It >>>>>>>>>> should have no direct impact on applications using WebViews, but >>>>>>>>>> sites >>>>>>>>>> loaded in the WebView will no longer receive the X-Requested-With >>>>>>>>>> header >>>>>>>>>> unless the app explicitly allowlist the site >>>>>>>>>> <https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)> >>>>>>>>>> >>>>>>>>>> to receive the header or the site participates in the deprecation >>>>>>>>>> trial. >>>>>>>>>> >>>>>>>>>> Do you expect to deprecate setRequestedWithHeaderOriginAllowList >>>>>>>>>> at some future point? >>>>>>>>>> >>>>>>>>>> Will this feature be supported on all six Blink platforms >>>>>>>>>> (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? >>>>>>>>>> >>>>>>>>>> No >>>>>>>>>> >>>>>>>>>> WebView-only feature being deprecated >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>>>>>>> ? >>>>>>>>>> >>>>>>>>>> No - WebView is not covered by Web Platform Tests. >>>>>>>>>> >>>>>>>>>> Flag name >>>>>>>>>> >>>>>>>>>> WebViewXRequestedWithHeaderControl >>>>>>>>>> >>>>>>>>>> Requires code in //chrome? >>>>>>>>>> >>>>>>>>>> False >>>>>>>>>> >>>>>>>>>> Tracking bug >>>>>>>>>> >>>>>>>>>> https://crbug.com/960720 >>>>>>>>>> >>>>>>>>>> Estimated milestones >>>>>>>>>> >>>>>>>>>> - >>>>>>>>>> >>>>>>>>>> Roll-out in M111 beta (up to 50%) >>>>>>>>>> - >>>>>>>>>> >>>>>>>>>> Roll-out in M112 stable (up to 1%) >>>>>>>>>> - >>>>>>>>>> >>>>>>>>>> Roll-out to M113 stable (up to 5%) >>>>>>>>>> >>>>>>>>>> Further roll-out to be assessed based on developer input and >>>>>>>>>> feedback, considering that people might need time to adopt the OT. >>>>>>>>>> >>>>>>>>>> While we have announced the change through public developer >>>>>>>>>> communications and direct outreach to several partners, receiving >>>>>>>>>> mostly >>>>>>>>>> positive or neutral feedback, we expect that negative impacts, if >>>>>>>>>> any, will >>>>>>>>>> be more visible at 1% and 5% of stable traffic. We may want to >>>>>>>>>> allow more >>>>>>>>>> time to adopt the deprecation trial before continuing to ramp up. >>>>>>>>>> >>>>>>>>>> This looks like a reasonable, conservative rollout plan, thanks. >>>>>>>>>> >>>>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>>>> >>>>>>>>>> https://chromestatus.com/feature/5160086884843520 >>>>>>>>>> >>>>>>>>>> Links to previous Intent discussions >>>>>>>>>> >>>>>>>>>> Intent to Deprecate: >>>>>>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> This intent message was generated by Chrome Platform Status >>>>>>>>>> <https://chromestatus.com/>. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Sincerely, >>>>>>>>>> [image: Google Logo] >>>>>>>>>> Peter Birk Pakkenberg >>>>>>>>>> Software Engineer >>>>>>>>>> [email protected] >>>>>>>>>> -- >>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>>> send an email to [email protected]. >>>>>>>>>> To view this discussion on the web visit >>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com >>>>>>>>>> >>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>> . >>>>>>>>>> >>>>>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "blink-dev" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/63373d78-6db4-e974-2451-24fad35903da%40chromium.org >>>>>>> >>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/63373d78-6db4-e974-2451-24fad35903da%40chromium.org?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> >>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuUBd_9qULnJyumjR7ye_DRQcv_oULzPJpx8TQ_aLWOWA%40mail.gmail.com >>>>> >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuUBd_9qULnJyumjR7ye_DRQcv_oULzPJpx8TQ_aLWOWA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1622fb3d-c2f1-4be7-9cdf-46f81da3ed42n%40chromium.org.
