Hi Mike, Initially, the trial will end with M125, but we are likely to extend the trial once we get there. By then, we should have a better understanding of the timeline for ending the trial period.
Sincerely, [image: Google Logo] Peter Birk Pakkenberg Software Engineer [email protected] +447469379358 On Tue, 3 Jan 2023 at 20:13, Mike Taylor <[email protected]> wrote: > On 12/21/22 12:27 PM, Peter Birk Pakkenberg wrote: > > Hi Mike, > > We plan to open the deprecation trial for sign-up in January. > > We’re planning to roll out the change in behaviour in M110 > Canary/Dev/Beta, and hopefully a small percentage of Stable in M111. The > exact ramp-up schedule after that will depend on feedback, and is something > we’re still figuring out together with other stakeholders, but we plan to > take a careful approach. > > Assuming the blog post goes out soon, that gives ~2 months for developers > to notice and implement any necessary changes. It feels a little bit on the > short side. But I'm glad to hear you're working out the ramp-up details > with caution in mind. > > If the Deprecation Trial is valid beginning with M110, when does it end? I > don't know that we've shipped "never expires" origin trials before (to my > knowledge they require an expiration date encoded in the token?). > > Deprecation Reports is a great idea. I am not sure if these are supported > by WebView, but I will look into that next year. > > Sincerely, > [image: Google Logo] > Peter Birk Pakkenberg > Software Engineer > [email protected] > +447469379358 <+44%207469%20379358> > > > On Wed, 21 Dec 2022 at 16:08, Mike Taylor <[email protected]> wrote: > >> Thanks Peter! >> >> Can you say more about timelines? For example, which milestone you would >> launch the deprecation trial, and how long will sites have to enroll before >> the behavior changes (i.e., what's the milestone for turning XRW off)? >> >> A blog post in January sounds great - are there any other useful outreach >> tools that are useful to the WebView ecosystem? (I have no idea if >> Deprecation Reports for a few milestones would be useful...). >> >> On 12/21/22 5:52 AM, Peter Birk Pakkenberg wrote: >> >> Hi Rick, Mike, and blink-dev@ >> >> To clarify my last statement, here is our proposed plan: >> >> We intend to start a deprecation trial, which will retain the current >> behaviour of sending the X-Requested-With header from WebView clients, >> however, as an opt-in rather than default behaviour. This trial is planned >> to run for at least one year, but we’d only like it to end once we have a >> replacement solution. >> Simultaneously, we’re working on gathering requirements and designing >> replacement APIs for the key use cases, in a secure and privacy-conscious >> manner. >> >> Right now we are looking for approval to start the deprecation trial and >> change the header to become opt-in for non-trial-participants, with the >> understanding that this will be an ongoing trial with no set end-date. >> >> We will also publish a blog post in January to further lay out the >> reasons behind this change, and the timeline for the deprecation. >> >> Sincerely, >> [image: Google Logo] >> Peter Birk Pakkenberg >> Software Engineer >> [email protected] >> +447469379358 <+44%207469%20379358> >> >> >> On Mon, 19 Dec 2022 at 18:22, Mike Taylor <[email protected]> wrote: >> >>> I'm a big fan of removing passive fingerprinting signals, so thanks for >>> driving this work. Just a few questions: >>> >>> https://bugs.chromium.org/p/chromium/issues/detail?id=960720#c2 stated >>> that "changing the default behaviour would be a significant compatibility >>> risk" - I assume your team is going to publish some migration guidance for >>> developers to reduce the risk. Can you confirm? >>> >>> Also, this intent mentions a deprecation trial - does that already >>> exist? Could you give more details on the plans there? (I don't recall >>> seeing a "Request for Deprecation Trial" for that, but I'm bad at email...) >>> >>> Can you also clarify your proposed timelines (for the deprecation trial, >>> and removal)? >>> >>> thanks, >>> Mike >>> >>> On 12/19/22 12:13 PM, 'Peter Birk Pakkenberg' via blink-dev wrote: >>> >>> Hi Rick, >>> >>> Yes - removal is part of the goal here. >>> >>> Sincerely, >>> [image: Google Logo] >>> Peter Birk Pakkenberg >>> Software Engineer >>> [email protected] >>> +447469379358 <+44%207469%20379358> >>> >>> >>> On Mon, 19 Dec 2022 at 17:08, Rick Byers <[email protected]> wrote: >>> >>>> Thanks for working to remove this non-standard WebView-only behavior, I >>>> agree it's a privacy issue. I assume this is an "Intent to Deprecate >>>> and Remove >>>> <https://www.chromium.org/blink/launching-features/#:~:text=%E2%80%9CIntent%20to%20Deprecate%20and%20Remove%E2%80%9D>" >>>> looking for permission to remove this behavior (not just mark it >>>> 'deprecated'), is that right? >>>> >>>> If so, LGTM1. >>>> >>>> There may still be some compat and developer messaging risks, but the >>>> WebView team (of which Peter is a member) are the right experts to navigate >>>> those. >>>> >>>> >>>> >>>> On Mon, Dec 19, 2022 at 5:18 AM 'Peter Birk Pakkenberg' via blink-dev < >>>> [email protected]> wrote: >>>> >>>>> Contact emails >>>>> >>>>> [email protected] >>>>> >>>>> Explainer >>>>> >>>>> None >>>>> >>>>> Specification >>>>> >>>>> Summary >>>>> >>>>> Removes the default X-Requested-With header from HTTP requests made by >>>>> WebView. >>>>> >>>>> The X-Requested-With header is set by WebView, with the package name >>>>> of the embedding apk as the value. >>>>> >>>>> This use of the header will be discontinued. >>>>> >>>>> >>>>> Blink component >>>>> >>>>> Mobile>WebView >>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> >>>>> >>>>> Motivation >>>>> >>>>> The header as implemented in WebView does not follow the principle of >>>>> meaningful consent of all parties exchanging the information[1]. Developer >>>>> can utilize unreliable and undocumented methods to opt-out. >>>>> >>>>> Users are not provided with an opt-out option. The content owner is >>>>> the only party with full control over the information provided in the >>>>> header. >>>>> >>>>> APK name is also an abundant source of passive fingerprinting >>>>> information about the users. It contains specific information about the >>>>> browsing context. When the application is not omnipresent (i.e. has a >>>>> relatively small user base), together with other information (e.g. approx. >>>>> geolocation based on an IP address), it can provide a fairly unique >>>>> identifier of a user. >>>>> >>>>> On top of those privacy issues, the header is undocumented, used in >>>>> non-WebView context for a completely different purpose, notoriously >>>>> misunderstood, and causing security issues since its introduction. >>>>> >>>>> [1]: https://w3ctag.github.io/design-principles/#consent >>>>> >>>>> >>>>> >>>>> Initial public proposal >>>>> >>>>> Search tags >>>>> >>>>> Headers <https://chromestatus.com/features#tags:Headers> >>>>> >>>>> TAG review >>>>> >>>>> TAG review status >>>>> >>>>> Not applicable >>>>> >>>>> Risks >>>>> >>>>> Interoperability and Compatibility >>>>> >>>>> Gecko: N/A >>>>> >>>>> WebKit: N/A >>>>> >>>>> Web developers: No signals >>>>> >>>>> Other signals: >>>>> >>>>> WebView application risks >>>>> >>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>> that it has potentially high risk for Android WebView-based applications? >>>>> >>>>> This feature removes a header sent by default by WebView. It should >>>>> have no direct impact on applications using WebViews, but sites loaded in >>>>> the WebView will no longer receive the X-Requested-With header unless the >>>>> app explicitly allowlist the site[1] to receive the header or the site >>>>> participates in the deprecation trial. >>>>> >>>>> [1]: >>>>> https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E) >>>>> >>>>> >>>>> Debuggability >>>>> >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>> ? >>>>> >>>>> No >>>>> >>>>> Flag name >>>>> >>>>> WebViewXRequestedWithHeaderControl >>>>> >>>>> Requires code in //chrome? >>>>> >>>>> False >>>>> >>>>> Tracking bug >>>>> >>>>> https://crbug.com/960720 >>>>> >>>>> Launch bug >>>>> >>>>> https://launch.corp.google.com/launch/4136516 >>>>> >>>>> Estimated milestones >>>>> >>>>> DevTrial on Android >>>>> >>>>> 109 >>>>> >>>>> OriginTrial webView first >>>>> >>>>> 110 >>>>> >>>>> >>>>> >>>>> Link to entry on the Chrome Platform Status >>>>> >>>>> https://chromestatus.com/feature/5160086884843520 >>>>> >>>>> This intent message was generated by Chrome Platform Status >>>>> <https://chromestatus.com/>. >>>>> >>>>> >>>>> Sincerely, >>>>> [image: Google Logo] >>>>> Peter Birk Pakkenberg >>>>> Software Engineer >>>>> [email protected] >>>>> +447469379358 <+44%207469%20379358> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjv0PC76S%3DZkg66V_KCPfrb3tAnryWGnA6TfQz-ay2yXKA%40mail.gmail.com >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjv0PC76S%3DZkg66V_KCPfrb3tAnryWGnA6TfQz-ay2yXKA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuZy4SeHwVCJ%2BGvawdGrAR6myzAJEwZEX6Jmymii6wxDg%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuZy4SeHwVCJ%2BGvawdGrAR6myzAJEwZEX6Jmymii6wxDg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> >>> >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtReqAj2PjxRqpCL%3Dum-6z7YkWAfdV_4aLB%3DNGn6RrX_A%40mail.gmail.com.
