On 12/21/22 12:27 PM, Peter Birk Pakkenberg wrote:
Hi Mike,
We plan to open the deprecation trial for sign-up in January.
We’re planning to roll out the change in behaviour in M110
Canary/Dev/Beta, and hopefully a small percentage of Stable in M111.
The exact ramp-up schedule after that will depend on feedback, and is
something we’re still figuring out together with other stakeholders,
but we plan to take a careful approach.
Assuming the blog post goes out soon, that gives ~2 months for
developers to notice and implement any necessary changes. It feels a
little bit on the short side. But I'm glad to hear you're working out
the ramp-up details with caution in mind.
If the Deprecation Trial is valid beginning with M110, when does it end?
I don't know that we've shipped "never expires" origin trials before (to
my knowledge they require an expiration date encoded in the token?).
Deprecation Reports is a great idea. I am not sure if these are
supported by WebView, but I will look into that next year.
Sincerely,
Google Logo
Peter Birk Pakkenberg
Software Engineer
[email protected]
+447469379358
On Wed, 21 Dec 2022 at 16:08, Mike Taylor <[email protected]> wrote:
Thanks Peter!
Can you say more about timelines? For example, which milestone you
would launch the deprecation trial, and how long will sites have
to enroll before the behavior changes (i.e., what's the milestone
for turning XRW off)?
A blog post in January sounds great - are there any other useful
outreach tools that are useful to the WebView ecosystem? (I have
no idea if Deprecation Reports for a few milestones would be
useful...).
On 12/21/22 5:52 AM, Peter Birk Pakkenberg wrote:
Hi Rick, Mike, and blink-dev@
To clarify my last statement, here is our proposed plan:
We intend to start a deprecation trial, which will retain the
current behaviour of sending the X-Requested-With header from
WebView clients, however, as an opt-in rather than default
behaviour. This trial is planned to run for at least one year,
but we’d only like it to end once we have a replacement solution.
Simultaneously, we’re working on gathering requirements and
designing replacement APIs for the key use cases, in a secure and
privacy-conscious manner.
Right now we are looking for approval to start the deprecation
trial and change the header to become opt-in for
non-trial-participants, with the understanding that this will be
an ongoing trial with no set end-date.
We will also publish a blog post in January to further lay out
the reasons behind this change, and the timeline for the deprecation.
Sincerely,
Google Logo
Peter Birk Pakkenberg
Software Engineer
[email protected]
+447469379358 <tel:+44%207469%20379358>
On Mon, 19 Dec 2022 at 18:22, Mike Taylor
<[email protected]> wrote:
I'm a big fan of removing passive fingerprinting signals, so
thanks for driving this work. Just a few questions:
https://bugs.chromium.org/p/chromium/issues/detail?id=960720#c2
stated that "changing the default behaviour would be a
significant compatibility risk" - I assume your team is going
to publish some migration guidance for developers to reduce
the risk. Can you confirm?
Also, this intent mentions a deprecation trial - does that
already exist? Could you give more details on the plans
there? (I don't recall seeing a "Request for Deprecation
Trial" for that, but I'm bad at email...)
Can you also clarify your proposed timelines (for the
deprecation trial, and removal)?
thanks,
Mike
On 12/19/22 12:13 PM, 'Peter Birk Pakkenberg' via blink-dev
wrote:
Hi Rick,
Yes - removal is part of the goal here.
Sincerely,
Google Logo
Peter Birk Pakkenberg
Software Engineer
[email protected]
+447469379358 <tel:+44%207469%20379358>
On Mon, 19 Dec 2022 at 17:08, Rick Byers
<[email protected]> wrote:
Thanks for working to remove this non-standard
WebView-only behavior, I agree it's a privacy issue. I
assume this is an "Intent to Deprecate and Remove
<https://www.chromium.org/blink/launching-features/#:~:text=%E2%80%9CIntent%20to%20Deprecate%20and%20Remove%E2%80%9D>"
looking for permission to remove this behavior (not just
mark it 'deprecated'), is that right?
If so, LGTM1.
There may still be some compat and developer messaging
risks, but the WebView team (of which Peter is a member)
are the right experts to navigate those.
On Mon, Dec 19, 2022 at 5:18 AM 'Peter Birk Pakkenberg'
via blink-dev <[email protected]> wrote:
Contact emails
[email protected]
Explainer
None
Specification
Summary
Removes the default X-Requested-With header from
HTTP requests made by WebView.
The X-Requested-With header is set by WebView, with
the package name of the embedding apk as the value.
This use of the header will be discontinued.
Blink component
Mobile>WebView
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView>
Motivation
The header as implemented in WebView does not follow
the principle of meaningful consent of all parties
exchanging the information[1]. Developer can utilize
unreliable and undocumented methods to opt-out.
Users are not provided with an opt-out option. The
content owner is the only party with full control
over the information provided in the header.
APK name is also an abundant source of passive
fingerprinting information about the users. It
contains specific information about the browsing
context. When the application is not omnipresent
(i.e. has a relatively small user base), together
with other information (e.g. approx. geolocation
based on an IP address), it can provide a fairly
unique identifier of a user.
On top of those privacy issues, the header is
undocumented, used in non-WebView context for a
completely different purpose, notoriously
misunderstood, and causing security issues since its
introduction.
[1]:https://w3ctag.github.io/design-principles/#consent
<https://w3ctag.github.io/design-principles/#consent>
Initial public proposal
Search tags
Headers <https://chromestatus.com/features#tags:Headers>
TAG review
TAG review status
Not applicable
Risks
Interoperability and Compatibility
Gecko: N/A
WebKit: N/A
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of
existing APIs, such that it has potentially high
risk for Android WebView-based applications?
This feature removes a header sent by default by
WebView. It should have no direct impact on
applications using WebViews, but sites loaded in the
WebView will no longer receive the X-Requested-With
header unless the app explicitly allowlist the
site[1] to receive the header or the site
participates in the deprecation trial.
[1]:https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)
<https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)>
Debuggability
Is this feature fully tested by
web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
No
Flag name
WebViewXRequestedWithHeaderControl
Requires code in //chrome?
False
Tracking bug
https://crbug.com/960720 <https://crbug.com/960720>
Launch bug
https://launch.corp.google.com/launch/4136516
<https://launch.corp.google.com/launch/4136516>
Estimated milestones
DevTrial on Android
109
OriginTrial webView first
110
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5160086884843520
<https://chromestatus.com/feature/5160086884843520>
This intent message was generated by Chrome Platform
Status <https://chromestatus.com/>.
Sincerely,
Google Logo
Peter Birk Pakkenberg
Software Engineer
[email protected]
+447469379358 <tel:+44%207469%20379358>
--
You received this message because you are subscribed
to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
[email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjv0PC76S%3DZkg66V_KCPfrb3tAnryWGnA6TfQz-ay2yXKA%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjv0PC76S%3DZkg66V_KCPfrb3tAnryWGnA6TfQz-ay2yXKA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the
Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuZy4SeHwVCJ%2BGvawdGrAR6myzAJEwZEX6Jmymii6wxDg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuZy4SeHwVCJ%2BGvawdGrAR6myzAJEwZEX6Jmymii6wxDg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f3e88215-200a-dc7e-7b52-784722499f86%40chromium.org.
