There are differences in the set of trust signals available in Android and iOS' webviews, so that will very much depend on the app or library consuming them. I don't have a more concrete answer for you I'm afraid.
Thanks, Peter On Thu, Oct 9, 2025 at 4:58 PM Carlos Solorzano <[email protected]> wrote: > How does iOS solve this issue without that header? > > On Thursday, October 9, 2025 at 10:51:58 AM UTC-5 Peter Beverloo wrote: > >> There are various use cases, common among all of them is that WebView >> usage isn't always through SDKs - it's entirely valid for an app to load >> arbitrary Web content in a WebView, which in turn might include ads, or ask >> the user to sign in, make a payment, and so on. >> >> Thanks, >> Peter >> >> On Thu, Oct 9, 2025 at 3:53 PM Carlos Solorzano <[email protected]> >> wrote: >> >>> I'm assuming you are mostly talking about fraud on ads that use the >>> WebView? Feels like that should be controlled at the ad network level, they >>> control their own WebView's so they can force the header to be sent. >>> >>> Also as far as I know, iOS doesn't send this header, so I'm not sure why >>> Android needs it? >>> >>> On Monday, September 8, 2025 at 8:52:30 AM UTC-5 Carlos Solorzano wrote: >>> >>>> Sorry if this is not the right place to ask but I'm curious what the >>>> status of this is? I'm on WebView 141 and it is still sending the >>>> X-Requested-With header. >>>> >>>> On Wednesday, April 19, 2023 at 2:55:38 PM UTC-5 Chris Harrelson wrote: >>>> >>>>> LGTM3 >>>>> >>>>> On Wed, Apr 12, 2023 at 1:14 AM Peter Birk Pakkenberg < >>>>> [email protected]> wrote: >>>>> >>>>>> Thank you Mike and Yoav, >>>>>> >>>>>> Can I get a third LGTM to let me proceed to a 1% roll-out on stable? >>>>>> >>>>>> >>>>>> Sincerely, >>>>>> [image: Google Logo] >>>>>> Peter Birk Pakkenberg >>>>>> Software Engineer >>>>>> [email protected] >>>>>> >>>>>> >>>>>> On Fri, 7 Apr 2023 at 12:05, Yoav Weiss <[email protected]> wrote: >>>>>> >>>>>>> LGTM2 >>>>>>> >>>>>>> It seems like there's no way for us to know who relies on this >>>>>>> without trying the removal and finding out. Slow and careful rollout >>>>>>> makes >>>>>>> sense in that case. >>>>>>> >>>>>>> On Wed, Apr 5, 2023 at 8:58 PM Mike Taylor <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Apologies Peter, this intent fell off the radar of our tooling. >>>>>>>> >>>>>>>> LGTM1 to proceed with the outlined plan. Thanks for creating a >>>>>>>> deprecation trial and blogging about it. >>>>>>>> On 4/5/23 1:07 PM, Peter Birk Pakkenberg wrote: >>>>>>>> >>>>>>>> Hello blink-dev@ >>>>>>>> >>>>>>>> Are there any objections or questions about starting the removal of >>>>>>>> this header? >>>>>>>> >>>>>>>> If not, I would appreciate LGTM's to let me proceed with a 1% >>>>>>>> stable roll-out in M112. >>>>>>>> >>>>>>>> Sincerely, >>>>>>>> [image: Google Logo] >>>>>>>> Peter Birk Pakkenberg >>>>>>>> Software Engineer >>>>>>>> [email protected] >>>>>>>> >>>>>>>> >>>>>>>> On Thu, 30 Mar 2023 at 16:17, Peter Birk Pakkenberg < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hello blink-dev@ >>>>>>>>> >>>>>>>>> Are there any objections to start shipping this feature in M112? >>>>>>>>> >>>>>>>>> Sincerely, >>>>>>>>> [image: Google Logo] >>>>>>>>> Peter Birk Pakkenberg >>>>>>>>> Software Engineer >>>>>>>>> [email protected] >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, 15 Mar 2023 at 14:24, Peter Birk Pakkenberg < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi Mike, >>>>>>>>>> >>>>>>>>>> We plan to keep the setRequestedWithHeaderOriginAllowList API for >>>>>>>>>> the duration of the XRW origin trial, but have not made any decisions >>>>>>>>>> beyond that at this point in either direction. >>>>>>>>>> >>>>>>>>>> Sincerely, >>>>>>>>>> [image: Google Logo] >>>>>>>>>> Peter Birk Pakkenberg >>>>>>>>>> Software Engineer >>>>>>>>>> [email protected] >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Mon, 13 Mar 2023 at 14:41, Mike Taylor <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> On 3/13/23 9:11 AM, Peter Birk Pakkenberg wrote: >>>>>>>>>>> >>>>>>>>>>> Contact emails >>>>>>>>>>> >>>>>>>>>>> [email protected] >>>>>>>>>>> >>>>>>>>>>> Explainer >>>>>>>>>>> >>>>>>>>>>> Android Developer Blog post >>>>>>>>>>> <https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html> >>>>>>>>>>> >>>>>>>>>>> Summary >>>>>>>>>>> >>>>>>>>>>> Removes the default X-Requested-With header from HTTP requests >>>>>>>>>>> made by WebView. >>>>>>>>>>> >>>>>>>>>>> The X-Requested-With header is set by WebView, with the package >>>>>>>>>>> name of the embedding apk as the value. >>>>>>>>>>> >>>>>>>>>>> This use of the header will be discontinued. >>>>>>>>>>> >>>>>>>>>>> Developers who rely on this header can sign up for a deprecation >>>>>>>>>>> origin trial >>>>>>>>>>> <https://developer.chrome.com/origintrials/#/view_trial/1390486384950640641> >>>>>>>>>>> to continue to receive the header during the deprecation period. >>>>>>>>>>> >>>>>>>>>>> The deprecation origin trial will be extended until replacement >>>>>>>>>>> APIs are available to address use cases of the header, as explained >>>>>>>>>>> in this Android >>>>>>>>>>> Developer Blog post >>>>>>>>>>> <https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html> >>>>>>>>>>> . >>>>>>>>>>> >>>>>>>>>>> The roll-out of this removal will be slower than usual. See >>>>>>>>>>> “Estimated milestones” below. >>>>>>>>>>> >>>>>>>>>>> Blink component >>>>>>>>>>> >>>>>>>>>>> Mobile>WebView >>>>>>>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> >>>>>>>>>>> >>>>>>>>>>> Search tags >>>>>>>>>>> >>>>>>>>>>> Headers <https://chromestatus.com/features#tags:Headers> >>>>>>>>>>> >>>>>>>>>>> TAG review >>>>>>>>>>> >>>>>>>>>>> TAG review status >>>>>>>>>>> >>>>>>>>>>> Not applicable >>>>>>>>>>> >>>>>>>>>>> Risks >>>>>>>>>>> >>>>>>>>>>> Interoperability and Compatibility >>>>>>>>>>> >>>>>>>>>>> Gecko: N/A >>>>>>>>>>> >>>>>>>>>>> WebKit: N/A >>>>>>>>>>> >>>>>>>>>>> Web developers: No signals >>>>>>>>>>> >>>>>>>>>>> Other signals: >>>>>>>>>>> >>>>>>>>>>> WebView application risks >>>>>>>>>>> >>>>>>>>>>> Does this intent deprecate or change behavior of existing APIs, >>>>>>>>>>> such that it has potentially high risk for Android WebView-based >>>>>>>>>>> applications? >>>>>>>>>>> >>>>>>>>>>> This feature removes a header sent by default by WebView. It >>>>>>>>>>> should have no direct impact on applications using WebViews, but >>>>>>>>>>> sites >>>>>>>>>>> loaded in the WebView will no longer receive the X-Requested-With >>>>>>>>>>> header >>>>>>>>>>> unless the app explicitly allowlist the site >>>>>>>>>>> <https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)> >>>>>>>>>>> to receive the header or the site participates in the deprecation >>>>>>>>>>> trial. >>>>>>>>>>> >>>>>>>>>>> Do you expect to deprecate setRequestedWithHeaderOriginAllowList >>>>>>>>>>> at some future point? >>>>>>>>>>> >>>>>>>>>>> Will this feature be supported on all six Blink platforms >>>>>>>>>>> (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? >>>>>>>>>>> >>>>>>>>>>> No >>>>>>>>>>> >>>>>>>>>>> WebView-only feature being deprecated >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>>>>>>>> ? >>>>>>>>>>> >>>>>>>>>>> No - WebView is not covered by Web Platform Tests. >>>>>>>>>>> >>>>>>>>>>> Flag name >>>>>>>>>>> >>>>>>>>>>> WebViewXRequestedWithHeaderControl >>>>>>>>>>> >>>>>>>>>>> Requires code in //chrome? >>>>>>>>>>> >>>>>>>>>>> False >>>>>>>>>>> >>>>>>>>>>> Tracking bug >>>>>>>>>>> >>>>>>>>>>> https://crbug.com/960720 >>>>>>>>>>> >>>>>>>>>>> Estimated milestones >>>>>>>>>>> >>>>>>>>>>> - >>>>>>>>>>> >>>>>>>>>>> Roll-out in M111 beta (up to 50%) >>>>>>>>>>> - >>>>>>>>>>> >>>>>>>>>>> Roll-out in M112 stable (up to 1%) >>>>>>>>>>> - >>>>>>>>>>> >>>>>>>>>>> Roll-out to M113 stable (up to 5%) >>>>>>>>>>> >>>>>>>>>>> Further roll-out to be assessed based on developer input and >>>>>>>>>>> feedback, considering that people might need time to adopt the OT. >>>>>>>>>>> >>>>>>>>>>> While we have announced the change through public developer >>>>>>>>>>> communications and direct outreach to several partners, receiving >>>>>>>>>>> mostly >>>>>>>>>>> positive or neutral feedback, we expect that negative impacts, if >>>>>>>>>>> any, will >>>>>>>>>>> be more visible at 1% and 5% of stable traffic. We may want to >>>>>>>>>>> allow more >>>>>>>>>>> time to adopt the deprecation trial before continuing to ramp up. >>>>>>>>>>> >>>>>>>>>>> This looks like a reasonable, conservative rollout plan, thanks. >>>>>>>>>>> >>>>>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>>>>> >>>>>>>>>>> https://chromestatus.com/feature/5160086884843520 >>>>>>>>>>> >>>>>>>>>>> Links to previous Intent discussions >>>>>>>>>>> >>>>>>>>>>> Intent to Deprecate: >>>>>>>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> This intent message was generated by Chrome Platform Status >>>>>>>>>>> <https://chromestatus.com/>. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Sincerely, >>>>>>>>>>> [image: Google Logo] >>>>>>>>>>> Peter Birk Pakkenberg >>>>>>>>>>> Software Engineer >>>>>>>>>>> [email protected] >>>>>>>>>>> -- >>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>> it, send an email to [email protected]. >>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com >>>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>>> . >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "blink-dev" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/63373d78-6db4-e974-2451-24fad35903da%40chromium.org >>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/63373d78-6db4-e974-2451-24fad35903da%40chromium.org?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "blink-dev" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> >>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuUBd_9qULnJyumjR7ye_DRQcv_oULzPJpx8TQ_aLWOWA%40mail.gmail.com >>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuUBd_9qULnJyumjR7ye_DRQcv_oULzPJpx8TQ_aLWOWA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALt3x6n9Sdao5C%2Bnkt7GzysiXTr5RbQHpZ2J921hxDagtam%3DYQ%40mail.gmail.com.
