Hi Peter, Thanks for the extra details, that makes sense to me and is roughly what I was assuming would be happening. So still LGTM1
Rick On Wed, Dec 21, 2022 at 5:53 AM Peter Birk Pakkenberg <[email protected]> wrote: > Hi Rick, Mike, and blink-dev@ > > To clarify my last statement, here is our proposed plan: > > We intend to start a deprecation trial, which will retain the current > behaviour of sending the X-Requested-With header from WebView clients, > however, as an opt-in rather than default behaviour. This trial is planned > to run for at least one year, but we’d only like it to end once we have a > replacement solution. > Simultaneously, we’re working on gathering requirements and designing > replacement APIs for the key use cases, in a secure and privacy-conscious > manner. > > Right now we are looking for approval to start the deprecation trial and > change the header to become opt-in for non-trial-participants, with the > understanding that this will be an ongoing trial with no set end-date. > > We will also publish a blog post in January to further lay out the reasons > behind this change, and the timeline for the deprecation. > > Sincerely, > [image: Google Logo] > Peter Birk Pakkenberg > Software Engineer > [email protected] > +447469379358 <+44%207469%20379358> > > > On Mon, 19 Dec 2022 at 18:22, Mike Taylor <[email protected]> wrote: > >> I'm a big fan of removing passive fingerprinting signals, so thanks for >> driving this work. Just a few questions: >> >> https://bugs.chromium.org/p/chromium/issues/detail?id=960720#c2 stated >> that "changing the default behaviour would be a significant compatibility >> risk" - I assume your team is going to publish some migration guidance for >> developers to reduce the risk. Can you confirm? >> >> Also, this intent mentions a deprecation trial - does that already exist? >> Could you give more details on the plans there? (I don't recall seeing a >> "Request for Deprecation Trial" for that, but I'm bad at email...) >> >> Can you also clarify your proposed timelines (for the deprecation trial, >> and removal)? >> >> thanks, >> Mike >> >> On 12/19/22 12:13 PM, 'Peter Birk Pakkenberg' via blink-dev wrote: >> >> Hi Rick, >> >> Yes - removal is part of the goal here. >> >> Sincerely, >> [image: Google Logo] >> Peter Birk Pakkenberg >> Software Engineer >> [email protected] >> +447469379358 <+44%207469%20379358> >> >> >> On Mon, 19 Dec 2022 at 17:08, Rick Byers <[email protected]> wrote: >> >>> Thanks for working to remove this non-standard WebView-only behavior, I >>> agree it's a privacy issue. I assume this is an "Intent to Deprecate >>> and Remove >>> <https://www.chromium.org/blink/launching-features/#:~:text=%E2%80%9CIntent%20to%20Deprecate%20and%20Remove%E2%80%9D>" >>> looking for permission to remove this behavior (not just mark it >>> 'deprecated'), is that right? >>> >>> If so, LGTM1. >>> >>> There may still be some compat and developer messaging risks, but the >>> WebView team (of which Peter is a member) are the right experts to navigate >>> those. >>> >>> >>> >>> On Mon, Dec 19, 2022 at 5:18 AM 'Peter Birk Pakkenberg' via blink-dev < >>> [email protected]> wrote: >>> >>>> Contact emails >>>> >>>> [email protected] >>>> >>>> Explainer >>>> >>>> None >>>> >>>> Specification >>>> >>>> Summary >>>> >>>> Removes the default X-Requested-With header from HTTP requests made by >>>> WebView. >>>> >>>> The X-Requested-With header is set by WebView, with the package name of >>>> the embedding apk as the value. >>>> >>>> This use of the header will be discontinued. >>>> >>>> >>>> Blink component >>>> >>>> Mobile>WebView >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> >>>> >>>> Motivation >>>> >>>> The header as implemented in WebView does not follow the principle of >>>> meaningful consent of all parties exchanging the information[1]. Developer >>>> can utilize unreliable and undocumented methods to opt-out. >>>> >>>> Users are not provided with an opt-out option. The content owner is the >>>> only party with full control over the information provided in the header. >>>> >>>> APK name is also an abundant source of passive fingerprinting >>>> information about the users. It contains specific information about the >>>> browsing context. When the application is not omnipresent (i.e. has a >>>> relatively small user base), together with other information (e.g. approx. >>>> geolocation based on an IP address), it can provide a fairly unique >>>> identifier of a user. >>>> >>>> On top of those privacy issues, the header is undocumented, used in >>>> non-WebView context for a completely different purpose, notoriously >>>> misunderstood, and causing security issues since its introduction. >>>> >>>> [1]: https://w3ctag.github.io/design-principles/#consent >>>> >>>> >>>> >>>> Initial public proposal >>>> >>>> Search tags >>>> >>>> Headers <https://chromestatus.com/features#tags:Headers> >>>> >>>> TAG review >>>> >>>> TAG review status >>>> >>>> Not applicable >>>> >>>> Risks >>>> >>>> Interoperability and Compatibility >>>> >>>> Gecko: N/A >>>> >>>> WebKit: N/A >>>> >>>> Web developers: No signals >>>> >>>> Other signals: >>>> >>>> WebView application risks >>>> >>>> Does this intent deprecate or change behavior of existing APIs, such >>>> that it has potentially high risk for Android WebView-based applications? >>>> >>>> This feature removes a header sent by default by WebView. It should >>>> have no direct impact on applications using WebViews, but sites loaded in >>>> the WebView will no longer receive the X-Requested-With header unless the >>>> app explicitly allowlist the site[1] to receive the header or the site >>>> participates in the deprecation trial. >>>> >>>> [1]: >>>> https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E) >>>> >>>> >>>> Debuggability >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>> ? >>>> >>>> No >>>> >>>> Flag name >>>> >>>> WebViewXRequestedWithHeaderControl >>>> >>>> Requires code in //chrome? >>>> >>>> False >>>> >>>> Tracking bug >>>> >>>> https://crbug.com/960720 >>>> >>>> Launch bug >>>> >>>> https://launch.corp.google.com/launch/4136516 >>>> >>>> Estimated milestones >>>> >>>> DevTrial on Android >>>> >>>> 109 >>>> >>>> OriginTrial webView first >>>> >>>> 110 >>>> >>>> >>>> >>>> Link to entry on the Chrome Platform Status >>>> >>>> https://chromestatus.com/feature/5160086884843520 >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://chromestatus.com/>. >>>> >>>> >>>> Sincerely, >>>> [image: Google Logo] >>>> Peter Birk Pakkenberg >>>> Software Engineer >>>> [email protected] >>>> +447469379358 <+44%207469%20379358> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjv0PC76S%3DZkg66V_KCPfrb3tAnryWGnA6TfQz-ay2yXKA%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjv0PC76S%3DZkg66V_KCPfrb3tAnryWGnA6TfQz-ay2yXKA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuZy4SeHwVCJ%2BGvawdGrAR6myzAJEwZEX6Jmymii6wxDg%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuZy4SeHwVCJ%2BGvawdGrAR6myzAJEwZEX6Jmymii6wxDg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY_ZiNpaxAZBOO%3D%3DAKw_NVKZGQacj2CTodkrmcB7iNaTuA%40mail.gmail.com.
