Hi Rick, Mike, and blink-dev@ To clarify my last statement, here is our proposed plan:
We intend to start a deprecation trial, which will retain the current behaviour of sending the X-Requested-With header from WebView clients, however, as an opt-in rather than default behaviour. This trial is planned to run for at least one year, but we’d only like it to end once we have a replacement solution. Simultaneously, we’re working on gathering requirements and designing replacement APIs for the key use cases, in a secure and privacy-conscious manner. Right now we are looking for approval to start the deprecation trial and change the header to become opt-in for non-trial-participants, with the understanding that this will be an ongoing trial with no set end-date. We will also publish a blog post in January to further lay out the reasons behind this change, and the timeline for the deprecation. Sincerely, [image: Google Logo] Peter Birk Pakkenberg Software Engineer [email protected] +447469379358 On Mon, 19 Dec 2022 at 18:22, Mike Taylor <[email protected]> wrote: > I'm a big fan of removing passive fingerprinting signals, so thanks for > driving this work. Just a few questions: > > https://bugs.chromium.org/p/chromium/issues/detail?id=960720#c2 stated > that "changing the default behaviour would be a significant compatibility > risk" - I assume your team is going to publish some migration guidance for > developers to reduce the risk. Can you confirm? > > Also, this intent mentions a deprecation trial - does that already exist? > Could you give more details on the plans there? (I don't recall seeing a > "Request for Deprecation Trial" for that, but I'm bad at email...) > > Can you also clarify your proposed timelines (for the deprecation trial, > and removal)? > > thanks, > Mike > > On 12/19/22 12:13 PM, 'Peter Birk Pakkenberg' via blink-dev wrote: > > Hi Rick, > > Yes - removal is part of the goal here. > > Sincerely, > [image: Google Logo] > Peter Birk Pakkenberg > Software Engineer > [email protected] > +447469379358 <+44%207469%20379358> > > > On Mon, 19 Dec 2022 at 17:08, Rick Byers <[email protected]> wrote: > >> Thanks for working to remove this non-standard WebView-only behavior, I >> agree it's a privacy issue. I assume this is an "Intent to Deprecate and >> Remove >> <https://www.chromium.org/blink/launching-features/#:~:text=%E2%80%9CIntent%20to%20Deprecate%20and%20Remove%E2%80%9D>" >> looking for permission to remove this behavior (not just mark it >> 'deprecated'), is that right? >> >> If so, LGTM1. >> >> There may still be some compat and developer messaging risks, but the >> WebView team (of which Peter is a member) are the right experts to navigate >> those. >> >> >> >> On Mon, Dec 19, 2022 at 5:18 AM 'Peter Birk Pakkenberg' via blink-dev < >> [email protected]> wrote: >> >>> Contact emails >>> >>> [email protected] >>> >>> Explainer >>> >>> None >>> >>> Specification >>> >>> Summary >>> >>> Removes the default X-Requested-With header from HTTP requests made by >>> WebView. >>> >>> The X-Requested-With header is set by WebView, with the package name of >>> the embedding apk as the value. >>> >>> This use of the header will be discontinued. >>> >>> >>> Blink component >>> >>> Mobile>WebView >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> >>> >>> Motivation >>> >>> The header as implemented in WebView does not follow the principle of >>> meaningful consent of all parties exchanging the information[1]. Developer >>> can utilize unreliable and undocumented methods to opt-out. >>> >>> Users are not provided with an opt-out option. The content owner is the >>> only party with full control over the information provided in the header. >>> >>> APK name is also an abundant source of passive fingerprinting >>> information about the users. It contains specific information about the >>> browsing context. When the application is not omnipresent (i.e. has a >>> relatively small user base), together with other information (e.g. approx. >>> geolocation based on an IP address), it can provide a fairly unique >>> identifier of a user. >>> >>> On top of those privacy issues, the header is undocumented, used in >>> non-WebView context for a completely different purpose, notoriously >>> misunderstood, and causing security issues since its introduction. >>> >>> [1]: https://w3ctag.github.io/design-principles/#consent >>> >>> >>> >>> Initial public proposal >>> >>> Search tags >>> >>> Headers <https://chromestatus.com/features#tags:Headers> >>> >>> TAG review >>> >>> TAG review status >>> >>> Not applicable >>> >>> Risks >>> >>> Interoperability and Compatibility >>> >>> Gecko: N/A >>> >>> WebKit: N/A >>> >>> Web developers: No signals >>> >>> Other signals: >>> >>> WebView application risks >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> >>> This feature removes a header sent by default by WebView. It should have >>> no direct impact on applications using WebViews, but sites loaded in the >>> WebView will no longer receive the X-Requested-With header unless the app >>> explicitly allowlist the site[1] to receive the header or the site >>> participates in the deprecation trial. >>> >>> [1]: >>> https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E) >>> >>> >>> Debuggability >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ? >>> >>> No >>> >>> Flag name >>> >>> WebViewXRequestedWithHeaderControl >>> >>> Requires code in //chrome? >>> >>> False >>> >>> Tracking bug >>> >>> https://crbug.com/960720 >>> >>> Launch bug >>> >>> https://launch.corp.google.com/launch/4136516 >>> >>> Estimated milestones >>> >>> DevTrial on Android >>> >>> 109 >>> >>> OriginTrial webView first >>> >>> 110 >>> >>> >>> >>> Link to entry on the Chrome Platform Status >>> >>> https://chromestatus.com/feature/5160086884843520 >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com/>. >>> >>> >>> Sincerely, >>> [image: Google Logo] >>> Peter Birk Pakkenberg >>> Software Engineer >>> [email protected] >>> +447469379358 <+44%207469%20379358> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjv0PC76S%3DZkg66V_KCPfrb3tAnryWGnA6TfQz-ay2yXKA%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjv0PC76S%3DZkg66V_KCPfrb3tAnryWGnA6TfQz-ay2yXKA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuZy4SeHwVCJ%2BGvawdGrAR6myzAJEwZEX6Jmymii6wxDg%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuZy4SeHwVCJ%2BGvawdGrAR6myzAJEwZEX6Jmymii6wxDg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjsmiSFbnoqfght2Ue52ewZ0%3DieniLJ%2BNxsvcmGHwcRrHg%40mail.gmail.com.
