Hi Rick, Yes - removal is part of the goal here.
Sincerely, [image: Google Logo] Peter Birk Pakkenberg Software Engineer [email protected] +447469379358 On Mon, 19 Dec 2022 at 17:08, Rick Byers <[email protected]> wrote: > Thanks for working to remove this non-standard WebView-only behavior, I > agree it's a privacy issue. I assume this is an "Intent to Deprecate and > Remove > <https://www.chromium.org/blink/launching-features/#:~:text=%E2%80%9CIntent%20to%20Deprecate%20and%20Remove%E2%80%9D>" > looking for permission to remove this behavior (not just mark it > 'deprecated'), is that right? > > If so, LGTM1. > > There may still be some compat and developer messaging risks, but the > WebView team (of which Peter is a member) are the right experts to navigate > those. > > > > On Mon, Dec 19, 2022 at 5:18 AM 'Peter Birk Pakkenberg' via blink-dev < > [email protected]> wrote: > >> Contact emails >> >> [email protected] >> >> Explainer >> >> None >> >> Specification >> >> Summary >> >> Removes the default X-Requested-With header from HTTP requests made by >> WebView. >> >> The X-Requested-With header is set by WebView, with the package name of >> the embedding apk as the value. >> >> This use of the header will be discontinued. >> >> >> Blink component >> >> Mobile>WebView >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> >> >> Motivation >> >> The header as implemented in WebView does not follow the principle of >> meaningful consent of all parties exchanging the information[1]. Developer >> can utilize unreliable and undocumented methods to opt-out. >> >> Users are not provided with an opt-out option. The content owner is the >> only party with full control over the information provided in the header. >> >> APK name is also an abundant source of passive fingerprinting information >> about the users. It contains specific information about the browsing >> context. When the application is not omnipresent (i.e. has a relatively >> small user base), together with other information (e.g. approx. geolocation >> based on an IP address), it can provide a fairly unique identifier of a >> user. >> >> On top of those privacy issues, the header is undocumented, used in >> non-WebView context for a completely different purpose, notoriously >> misunderstood, and causing security issues since its introduction. >> >> [1]: https://w3ctag.github.io/design-principles/#consent >> >> >> >> Initial public proposal >> >> Search tags >> >> Headers <https://chromestatus.com/features#tags:Headers> >> >> TAG review >> >> TAG review status >> >> Not applicable >> >> Risks >> >> Interoperability and Compatibility >> >> Gecko: N/A >> >> WebKit: N/A >> >> Web developers: No signals >> >> Other signals: >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> This feature removes a header sent by default by WebView. It should have >> no direct impact on applications using WebViews, but sites loaded in the >> WebView will no longer receive the X-Requested-With header unless the app >> explicitly allowlist the site[1] to receive the header or the site >> participates in the deprecation trial. >> >> [1]: >> https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E) >> >> >> Debuggability >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? >> >> No >> >> Flag name >> >> WebViewXRequestedWithHeaderControl >> >> Requires code in //chrome? >> >> False >> >> Tracking bug >> >> https://crbug.com/960720 >> >> Launch bug >> >> https://launch.corp.google.com/launch/4136516 >> >> Estimated milestones >> >> DevTrial on Android >> >> 109 >> >> OriginTrial webView first >> >> 110 >> >> >> >> Link to entry on the Chrome Platform Status >> >> https://chromestatus.com/feature/5160086884843520 >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> >> >> Sincerely, >> [image: Google Logo] >> Peter Birk Pakkenberg >> Software Engineer >> [email protected] >> +447469379358 <+44%207469%20379358> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjv0PC76S%3DZkg66V_KCPfrb3tAnryWGnA6TfQz-ay2yXKA%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjv0PC76S%3DZkg66V_KCPfrb3tAnryWGnA6TfQz-ay2yXKA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuZy4SeHwVCJ%2BGvawdGrAR6myzAJEwZEX6Jmymii6wxDg%40mail.gmail.com.
