This effectively allowing all the malicious app devs to steal content from other website, I fail to understand why people want this to be removed unless they are planning to steal content from websites, if they are not planning to do anything to hurt the website owners there is no fear of exposing this header at all.
For APK on google playstore we can report the offending app, but what about third-party APKs? It is a very bad decision to remove this header for WebView. Still, thank you for making way for the thiefs. On Friday 5 January 2024 at 04:23:08 UTC+8 Aman Bansal wrote: > That header is still sent even after i updated everything to the latest > version. > Android System Webview: 122.0.6181.0 > Chrome: 122.0.6181.0 > > I am totally confused why is it still sending the `X-Request-With` if it > is already depreciated ? > > > [image: Screenshot 2024-01-05 at 1.50.17 AM.png][image: Screenshot > 2024-01-05 at 1.48.40 AM.png] > > On Monday, December 19, 2022 at 3:48:35 PM UTC+5:30 Peter Birk Pakkenberg > wrote: > >> Contact emails >> >> [email protected] >> >> Explainer >> >> None >> >> Specification >> >> Summary >> >> Removes the default X-Requested-With header from HTTP requests made by >> WebView. >> >> The X-Requested-With header is set by WebView, with the package name of >> the embedding apk as the value. >> >> This use of the header will be discontinued. >> >> >> Blink component >> >> Mobile>WebView >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> >> >> Motivation >> >> The header as implemented in WebView does not follow the principle of >> meaningful consent of all parties exchanging the information[1]. Developer >> can utilize unreliable and undocumented methods to opt-out. >> >> Users are not provided with an opt-out option. The content owner is the >> only party with full control over the information provided in the header. >> >> APK name is also an abundant source of passive fingerprinting information >> about the users. It contains specific information about the browsing >> context. When the application is not omnipresent (i.e. has a relatively >> small user base), together with other information (e.g. approx. geolocation >> based on an IP address), it can provide a fairly unique identifier of a >> user. >> >> On top of those privacy issues, the header is undocumented, used in >> non-WebView context for a completely different purpose, notoriously >> misunderstood, and causing security issues since its introduction. >> >> [1]: https://w3ctag.github.io/design-principles/#consent >> >> >> >> Initial public proposal >> >> Search tags >> >> Headers <https://chromestatus.com/features#tags:Headers> >> >> TAG review >> >> TAG review status >> >> Not applicable >> >> Risks >> >> Interoperability and Compatibility >> >> Gecko: N/A >> >> WebKit: N/A >> >> Web developers: No signals >> >> Other signals: >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> This feature removes a header sent by default by WebView. It should have >> no direct impact on applications using WebViews, but sites loaded in the >> WebView will no longer receive the X-Requested-With header unless the app >> explicitly allowlist the site[1] to receive the header or the site >> participates in the deprecation trial. >> >> [1]: >> https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E) >> >> >> Debuggability >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? >> >> No >> >> Flag name >> >> WebViewXRequestedWithHeaderControl >> >> Requires code in //chrome? >> >> False >> >> Tracking bug >> >> https://crbug.com/960720 >> >> Launch bug >> >> https://launch.corp.google.com/launch/4136516 >> >> Estimated milestones >> >> DevTrial on Android >> >> 109 >> >> OriginTrial webView first >> >> 110 >> >> >> >> Link to entry on the Chrome Platform Status >> >> https://chromestatus.com/feature/5160086884843520 >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> >> >> Sincerely, >> [image: Google Logo] >> Peter Birk Pakkenberg >> Software Engineer >> [email protected] >> +447469379358 <+44%207469%20379358> >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/a6714c9f-d91f-48a2-9807-d221b0c88b0fn%40chromium.org.
