Hi blink-dev@ I wanted to update you on the deprecation trial for the X-Requested-With header deprecation <https://chromestatus.com/feature/5160086884843520>, as we are planning to change the trial to allow third-party enablement.
We have received developer feedback that it should be possible to be able to re-enable the X-Requested-With header on cross-origin requests, where a service that relies on the header is being called without the option to respond with an Origin-Trial HTTP header on a navigation request, or by running a script of its own. An example of this is a web service which simply provides an JSON endpoint. Because the trial changes request header behaviour, we think that this feature request is reasonable. We want to provide a solution where the deprecation of the header can still be impactful, while services that rely on it can retain it during the deprecation period. To solve this use case, we propose that the trial can be enabled on behalf of the service, by letting the calling script provide a third-party origin trial token on behalf of the service it wishes to call. Third-party origin trial tokens is an existing mechanism for trial enablement. By supplying a token for the target origin, a script can signal that it wishes to enable a trial for a particular service, without re-enabling the X-Requested-With header for the whole frame. Aside from these changes, the plan or purpose for the trial has not changed. Sincerely, [image: Google Logo] Peter Birk Pakkenberg Software Engineer pb...@google.com +447469379358 On Thu, 5 Jan 2023 at 12:10, Peter Birk Pakkenberg <pb...@google.com> wrote: > Hi Mike, > > Initially, the trial will end with M125, but we are likely to extend the > trial once we get there. By then, we should have a better understanding of > the timeline for ending the trial period. > > Sincerely, > [image: Google Logo] > Peter Birk Pakkenberg > Software Engineer > pb...@google.com > +447469379358 <+44%207469%20379358> > > > On Tue, 3 Jan 2023 at 20:13, Mike Taylor <miketa...@chromium.org> wrote: > >> On 12/21/22 12:27 PM, Peter Birk Pakkenberg wrote: >> >> Hi Mike, >> >> We plan to open the deprecation trial for sign-up in January. >> >> We’re planning to roll out the change in behaviour in M110 >> Canary/Dev/Beta, and hopefully a small percentage of Stable in M111. The >> exact ramp-up schedule after that will depend on feedback, and is something >> we’re still figuring out together with other stakeholders, but we plan to >> take a careful approach. >> >> Assuming the blog post goes out soon, that gives ~2 months for developers >> to notice and implement any necessary changes. It feels a little bit on the >> short side. But I'm glad to hear you're working out the ramp-up details >> with caution in mind. >> >> If the Deprecation Trial is valid beginning with M110, when does it end? >> I don't know that we've shipped "never expires" origin trials before (to my >> knowledge they require an expiration date encoded in the token?). >> >> Deprecation Reports is a great idea. I am not sure if these are supported >> by WebView, but I will look into that next year. >> >> Sincerely, >> [image: Google Logo] >> Peter Birk Pakkenberg >> Software Engineer >> pb...@google.com >> +447469379358 <+44%207469%20379358> >> >> >> On Wed, 21 Dec 2022 at 16:08, Mike Taylor <miketa...@chromium.org> wrote: >> >>> Thanks Peter! >>> >>> Can you say more about timelines? For example, which milestone you would >>> launch the deprecation trial, and how long will sites have to enroll before >>> the behavior changes (i.e., what's the milestone for turning XRW off)? >>> >>> A blog post in January sounds great - are there any other useful >>> outreach tools that are useful to the WebView ecosystem? (I have no idea if >>> Deprecation Reports for a few milestones would be useful...). >>> >>> On 12/21/22 5:52 AM, Peter Birk Pakkenberg wrote: >>> >>> Hi Rick, Mike, and blink-dev@ >>> >>> To clarify my last statement, here is our proposed plan: >>> >>> We intend to start a deprecation trial, which will retain the current >>> behaviour of sending the X-Requested-With header from WebView clients, >>> however, as an opt-in rather than default behaviour. This trial is planned >>> to run for at least one year, but we’d only like it to end once we have a >>> replacement solution. >>> Simultaneously, we’re working on gathering requirements and designing >>> replacement APIs for the key use cases, in a secure and privacy-conscious >>> manner. >>> >>> Right now we are looking for approval to start the deprecation trial and >>> change the header to become opt-in for non-trial-participants, with the >>> understanding that this will be an ongoing trial with no set end-date. >>> >>> We will also publish a blog post in January to further lay out the >>> reasons behind this change, and the timeline for the deprecation. >>> >>> Sincerely, >>> [image: Google Logo] >>> Peter Birk Pakkenberg >>> Software Engineer >>> pb...@google.com >>> +447469379358 <+44%207469%20379358> >>> >>> >>> On Mon, 19 Dec 2022 at 18:22, Mike Taylor <miketa...@chromium.org> >>> wrote: >>> >>>> I'm a big fan of removing passive fingerprinting signals, so thanks for >>>> driving this work. Just a few questions: >>>> >>>> https://bugs.chromium.org/p/chromium/issues/detail?id=960720#c2 stated >>>> that "changing the default behaviour would be a significant compatibility >>>> risk" - I assume your team is going to publish some migration guidance for >>>> developers to reduce the risk. Can you confirm? >>>> >>>> Also, this intent mentions a deprecation trial - does that already >>>> exist? Could you give more details on the plans there? (I don't recall >>>> seeing a "Request for Deprecation Trial" for that, but I'm bad at email...) >>>> >>>> Can you also clarify your proposed timelines (for the deprecation >>>> trial, and removal)? >>>> >>>> thanks, >>>> Mike >>>> >>>> On 12/19/22 12:13 PM, 'Peter Birk Pakkenberg' via blink-dev wrote: >>>> >>>> Hi Rick, >>>> >>>> Yes - removal is part of the goal here. >>>> >>>> Sincerely, >>>> [image: Google Logo] >>>> Peter Birk Pakkenberg >>>> Software Engineer >>>> pb...@google.com >>>> +447469379358 <+44%207469%20379358> >>>> >>>> >>>> On Mon, 19 Dec 2022 at 17:08, Rick Byers <rby...@chromium.org> wrote: >>>> >>>>> Thanks for working to remove this non-standard WebView-only behavior, >>>>> I agree it's a privacy issue. I assume this is an "Intent to >>>>> Deprecate and Remove >>>>> <https://www.chromium.org/blink/launching-features/#:~:text=%E2%80%9CIntent%20to%20Deprecate%20and%20Remove%E2%80%9D>" >>>>> looking for permission to remove this behavior (not just mark it >>>>> 'deprecated'), is that right? >>>>> >>>>> If so, LGTM1. >>>>> >>>>> There may still be some compat and developer messaging risks, but the >>>>> WebView team (of which Peter is a member) are the right experts to >>>>> navigate >>>>> those. >>>>> >>>>> >>>>> >>>>> On Mon, Dec 19, 2022 at 5:18 AM 'Peter Birk Pakkenberg' via blink-dev < >>>>> blink-dev@chromium.org> wrote: >>>>> >>>>>> Contact emails >>>>>> >>>>>> pb...@google.com >>>>>> >>>>>> Explainer >>>>>> >>>>>> None >>>>>> >>>>>> Specification >>>>>> >>>>>> Summary >>>>>> >>>>>> Removes the default X-Requested-With header from HTTP requests made >>>>>> by WebView. >>>>>> >>>>>> The X-Requested-With header is set by WebView, with the package name >>>>>> of the embedding apk as the value. >>>>>> >>>>>> This use of the header will be discontinued. >>>>>> >>>>>> >>>>>> Blink component >>>>>> >>>>>> Mobile>WebView >>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> >>>>>> >>>>>> Motivation >>>>>> >>>>>> The header as implemented in WebView does not follow the principle of >>>>>> meaningful consent of all parties exchanging the information[1]. >>>>>> Developer >>>>>> can utilize unreliable and undocumented methods to opt-out. >>>>>> >>>>>> Users are not provided with an opt-out option. The content owner is >>>>>> the only party with full control over the information provided in the >>>>>> header. >>>>>> >>>>>> APK name is also an abundant source of passive fingerprinting >>>>>> information about the users. It contains specific information about the >>>>>> browsing context. When the application is not omnipresent (i.e. has a >>>>>> relatively small user base), together with other information (e.g. >>>>>> approx. >>>>>> geolocation based on an IP address), it can provide a fairly unique >>>>>> identifier of a user. >>>>>> >>>>>> On top of those privacy issues, the header is undocumented, used in >>>>>> non-WebView context for a completely different purpose, notoriously >>>>>> misunderstood, and causing security issues since its introduction. >>>>>> >>>>>> [1]: https://w3ctag.github.io/design-principles/#consent >>>>>> >>>>>> >>>>>> >>>>>> Initial public proposal >>>>>> >>>>>> Search tags >>>>>> >>>>>> Headers <https://chromestatus.com/features#tags:Headers> >>>>>> >>>>>> TAG review >>>>>> >>>>>> TAG review status >>>>>> >>>>>> Not applicable >>>>>> >>>>>> Risks >>>>>> >>>>>> Interoperability and Compatibility >>>>>> >>>>>> Gecko: N/A >>>>>> >>>>>> WebKit: N/A >>>>>> >>>>>> Web developers: No signals >>>>>> >>>>>> Other signals: >>>>>> >>>>>> WebView application risks >>>>>> >>>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>>> that it has potentially high risk for Android WebView-based applications? >>>>>> >>>>>> This feature removes a header sent by default by WebView. It should >>>>>> have no direct impact on applications using WebViews, but sites loaded in >>>>>> the WebView will no longer receive the X-Requested-With header unless the >>>>>> app explicitly allowlist the site[1] to receive the header or the site >>>>>> participates in the deprecation trial. >>>>>> >>>>>> [1]: >>>>>> https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E) >>>>>> >>>>>> >>>>>> Debuggability >>>>>> >>>>>> Is this feature fully tested by web-platform-tests >>>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>>> ? >>>>>> >>>>>> No >>>>>> >>>>>> Flag name >>>>>> >>>>>> WebViewXRequestedWithHeaderControl >>>>>> >>>>>> Requires code in //chrome? >>>>>> >>>>>> False >>>>>> >>>>>> Tracking bug >>>>>> >>>>>> https://crbug.com/960720 >>>>>> >>>>>> Launch bug >>>>>> >>>>>> https://launch.corp.google.com/launch/4136516 >>>>>> >>>>>> Estimated milestones >>>>>> >>>>>> DevTrial on Android >>>>>> >>>>>> 109 >>>>>> >>>>>> OriginTrial webView first >>>>>> >>>>>> 110 >>>>>> >>>>>> >>>>>> >>>>>> Link to entry on the Chrome Platform Status >>>>>> >>>>>> https://chromestatus.com/feature/5160086884843520 >>>>>> >>>>>> This intent message was generated by Chrome Platform Status >>>>>> <https://chromestatus.com/>. >>>>>> >>>>>> >>>>>> Sincerely, >>>>>> [image: Google Logo] >>>>>> Peter Birk Pakkenberg >>>>>> Software Engineer >>>>>> pb...@google.com >>>>>> +447469379358 <+44%207469%20379358> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "blink-dev" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to blink-dev+unsubscr...@chromium.org. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjv0PC76S%3DZkg66V_KCPfrb3tAnryWGnA6TfQz-ay2yXKA%40mail.gmail.com >>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjv0PC76S%3DZkg66V_KCPfrb3tAnryWGnA6TfQz-ay2yXKA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to blink-dev+unsubscr...@chromium.org. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuZy4SeHwVCJ%2BGvawdGrAR6myzAJEwZEX6Jmymii6wxDg%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuZy4SeHwVCJ%2BGvawdGrAR6myzAJEwZEX6Jmymii6wxDg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> >>>> >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjt9GowGovxoLXb_03L7F3UK2z%3DSp64PxMU-BeEbU8xjbg%40mail.gmail.com.