Thanks Peter!
Can you say more about timelines? For example, which milestone you would
launch the deprecation trial, and how long will sites have to enroll
before the behavior changes (i.e., what's the milestone for turning XRW
off)?
A blog post in January sounds great - are there any other useful
outreach tools that are useful to the WebView ecosystem? (I have no idea
if Deprecation Reports for a few milestones would be useful...).
On 12/21/22 5:52 AM, Peter Birk Pakkenberg wrote:
Hi Rick, Mike, and blink-dev@
To clarify my last statement, here is our proposed plan:
We intend to start a deprecation trial, which will retain the current
behaviour of sending the X-Requested-With header from WebView clients,
however, as an opt-in rather than default behaviour. This trial is
planned to run for at least one year, but we’d only like it to end
once we have a replacement solution.
Simultaneously, we’re working on gathering requirements and designing
replacement APIs for the key use cases, in a secure and
privacy-conscious manner.
Right now we are looking for approval to start the deprecation trial
and change the header to become opt-in for non-trial-participants,
with the understanding that this will be an ongoing trial with no set
end-date.
We will also publish a blog post in January to further lay out the
reasons behind this change, and the timeline for the deprecation.
Sincerely,
Google Logo
Peter Birk Pakkenberg
Software Engineer
[email protected]
+447469379358
On Mon, 19 Dec 2022 at 18:22, Mike Taylor <[email protected]> wrote:
I'm a big fan of removing passive fingerprinting signals, so
thanks for driving this work. Just a few questions:
https://bugs.chromium.org/p/chromium/issues/detail?id=960720#c2
stated that "changing the default behaviour would be a significant
compatibility risk" - I assume your team is going to publish some
migration guidance for developers to reduce the risk. Can you confirm?
Also, this intent mentions a deprecation trial - does that already
exist? Could you give more details on the plans there? (I don't
recall seeing a "Request for Deprecation Trial" for that, but I'm
bad at email...)
Can you also clarify your proposed timelines (for the deprecation
trial, and removal)?
thanks,
Mike
On 12/19/22 12:13 PM, 'Peter Birk Pakkenberg' via blink-dev wrote:
Hi Rick,
Yes - removal is part of the goal here.
Sincerely,
Google Logo
Peter Birk Pakkenberg
Software Engineer
[email protected]
+447469379358 <tel:+44%207469%20379358>
On Mon, 19 Dec 2022 at 17:08, Rick Byers <[email protected]> wrote:
Thanks for working to remove this non-standard WebView-only
behavior, I agree it's a privacy issue. I assume this is an
"Intent to Deprecate and Remove
<https://www.chromium.org/blink/launching-features/#:~:text=%E2%80%9CIntent%20to%20Deprecate%20and%20Remove%E2%80%9D>"
looking for permission to remove this behavior (not just mark
it 'deprecated'), is that right?
If so, LGTM1.
There may still be some compat and developer messaging risks,
but the WebView team (of which Peter is a member) are the
right experts to navigate those.
On Mon, Dec 19, 2022 at 5:18 AM 'Peter Birk Pakkenberg' via
blink-dev <[email protected]> wrote:
Contact emails
[email protected]
Explainer
None
Specification
Summary
Removes the default X-Requested-With header from HTTP
requests made by WebView.
The X-Requested-With header is set by WebView, with the
package name of the embedding apk as the value.
This use of the header will be discontinued.
Blink component
Mobile>WebView
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView>
Motivation
The header as implemented in WebView does not follow the
principle of meaningful consent of all parties exchanging
the information[1]. Developer can utilize unreliable and
undocumented methods to opt-out.
Users are not provided with an opt-out option. The
content owner is the only party with full control over
the information provided in the header.
APK name is also an abundant source of passive
fingerprinting information about the users. It contains
specific information about the browsing context. When the
application is not omnipresent (i.e. has a relatively
small user base), together with other information (e.g.
approx. geolocation based on an IP address), it can
provide a fairly unique identifier of a user.
On top of those privacy issues, the header is
undocumented, used in non-WebView context for a
completely different purpose, notoriously misunderstood,
and causing security issues since its introduction.
[1]:https://w3ctag.github.io/design-principles/#consent
<https://w3ctag.github.io/design-principles/#consent>
Initial public proposal
Search tags
Headers <https://chromestatus.com/features#tags:Headers>
TAG review
TAG review status
Not applicable
Risks
Interoperability and Compatibility
Gecko: N/A
WebKit: N/A
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing
APIs, such that it has potentially high risk for Android
WebView-based applications?
This feature removes a header sent by default by WebView.
It should have no direct impact on applications using
WebViews, but sites loaded in the WebView will no longer
receive the X-Requested-With header unless the app
explicitly allowlist the site[1] to receive the header or
the site participates in the deprecation trial.
[1]:https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)
<https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)>
Debuggability
Is this feature fully tested by
web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
No
Flag name
WebViewXRequestedWithHeaderControl
Requires code in //chrome?
False
Tracking bug
https://crbug.com/960720 <https://crbug.com/960720>
Launch bug
https://launch.corp.google.com/launch/4136516
<https://launch.corp.google.com/launch/4136516>
Estimated milestones
DevTrial on Android
109
OriginTrial webView first
110
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5160086884843520
<https://chromestatus.com/feature/5160086884843520>
This intent message was generated by Chrome Platform
Status <https://chromestatus.com/>.
Sincerely,
Google Logo
Peter Birk Pakkenberg
Software Engineer
[email protected]
+447469379358 <tel:+44%207469%20379358>
--
You received this message because you are subscribed to
the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjv0PC76S%3DZkg66V_KCPfrb3tAnryWGnA6TfQz-ay2yXKA%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjv0PC76S%3DZkg66V_KCPfrb3tAnryWGnA6TfQz-ay2yXKA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the
Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuZy4SeHwVCJ%2BGvawdGrAR6myzAJEwZEX6Jmymii6wxDg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuZy4SeHwVCJ%2BGvawdGrAR6myzAJEwZEX6Jmymii6wxDg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/26b7d038-ea18-700d-07f5-74921f35d56c%40chromium.org.
