Re: [blink-dev] Intent to Extend Deprecation Trial: Removal of X-Requested-With in WebView

[Daniel Bratell]

This being beyond the normal scope of an extension will require three 
LGTMS so here is the first one:

LGTM1
I appreciate that it's not optimal in any way to have something like 
this running this long, but I sympathize with the end result and 
understand that App developers can need both longer to develop and 
especially longer to deploy to all users. That as many as 10k 
applications have adapted the new API is a good sign too.

If I were going to ask for anything else (which might make it easier for 
others to approve it), it would be proof that usage is dropping so that 
we won't have to extend it again.

/Daniel

On 2024-03-27 12:15, Peter Birk Pakkenberg wrote:

Hello Blink-dev.


I would like to extend the ‘X-Requested-With in WebView Deprecation’ 
trial until M138 in line with the premise made below in the Summary 
below. I am asking for an extension of 12 milestones instead of the 
customary 6 
<https://www.chromium.org/blink/launching-features/#deprecation-trial>to 
avoid undue churn for the almost 100 origins that have signed up for 
the trial, as we expect that it will take at least another year to 
address the remaining use cases.


The feature is currently disabled on 5% of stable traffic, and we have 
developed the Android WebView Media Integrity API 
<https://android-developers.googleblog.com/2023/11/increasing-trust-for-embedded-media.html>as 
a solution for uses of the header for media content providers. We have 
also launched an Android API for app developers to enable the header 
for select origins 
<https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)>which 
has been adopted by almost 10k applications so far. This is an 
alternative available to Android apps that only display Web content 
they trust. We are still looking to address further use cases in the 
anti-abuse and anti-fraud space before we can fully disable the header.



        Contact emails

pb...@google.com


        Explainer

None


        Specification

None


        Summary

Removes the default X-Requested-With header from HTTP requests made by 
WebView.


The X-Requested-With header is set by WebView, with the package name 
of the embedding apk as the value. This use of the header will be 
discontinued.


Developers who rely on this header can sign up for a deprecation 
origin trial [1] to continue to receive the header during the 
deprecation period.


The deprecation origin trial will be extended until replacement APIs 
are available to address use cases of the header, as explained in this 
Android Developer Blog Post [2]


[1]:https://developer.chrome.com/origintrials/#/view_trial/1390486384950640641 
<https://developer.chrome.com/origintrials/#/view_trial/1390486384950640641>

[2]:https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html 
<https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html>



        Blink component

Mobile>WebView 
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView>


        Search tags

Headers <https://chromestatus.com/features#tags:Headers>


        TAG review



        TAG review status

Not applicable


        Chromium Trial Name

WebViewXRequestedWithDeprecation


        Link to origin trial feedback summary

https://docs.google.com/document/d/e/2PACX-1vR-ZraJ4sDSGpo2mhye1c2Z1HOl8ZqQ2iDnT2TCQ-Mj1cS1_-2OzN0OeV0Ctayu9Sm6XejgZmwXVDqE/pub 
<https://docs.google.com/document/d/e/2PACX-1vR-ZraJ4sDSGpo2mhye1c2Z1HOl8ZqQ2iDnT2TCQ-Mj1cS1_-2OzN0OeV0Ctayu9Sm6XejgZmwXVDqE/pub>



        Origin Trial documentation link

https://docs.google.com/document/d/e/2PACX-1vSSTEsHVfTXwOW80Tqy4c5TW6wSnt9b8v7-ZWUF3ZqLDs03EatEuyPCqwaUaa2s0a7mFm3Wh61bgVoz/pub 
<https://docs.google.com/document/d/e/2PACX-1vSSTEsHVfTXwOW80Tqy4c5TW6wSnt9b8v7-ZWUF3ZqLDs03EatEuyPCqwaUaa2s0a7mFm3Wh61bgVoz/pub>


        Risks



        Interoperability and Compatibility



Gecko: N/A


WebKit: N/A


Web developers: The X-Requested-With header is widely used for both 
anti-fraud and application allowlisting use cases, despite its 
inherent unreliability. These web services are concerned about the 
removal of the header without replacement technologies to facilitate 
their current reasons for consuming the header.


Other signals:


        WebView application risks

Does this intent deprecate or change behavior of existing APIs, such 
that it has potentially high risk for Android WebView-based applications?

This feature removes a header sent by default by WebView. It should 
have no direct impact on applications using WebViews, but sites loaded 
in the WebView will no longer receive the X-Requested-With header 
unless the app explicitly allowlist the site[1] to receive the header 
or the site participates in the deprecation trial.


[1]:https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E) 
<https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)>



        Debuggability



        Is this feature fully tested by web-platform-tests
        
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?

No


        Flag name on chrome://flags

None


        Finch feature name

WebViewXRequestedWithHeaderControl


        Non-finch justification

None


        Requires code in //chrome?

False


        Tracking bug

https://crbug.com/960720 <https://crbug.com/960720>


        Launch bug

https://launch.corp.google.com/launch/4136516 
<https://launch.corp.google.com/launch/4136516>


        Estimated milestones

DevTrial on Android

        

109


Shipping on WebView

        

114

OriginTrial webView last

        

138

OriginTrial webView first

        

110




        Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5160086884843520 
<https://chromestatus.com/feature/5160086884843520>


        Links to previous Intent discussions

Intent to Experiment: 
https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs 
<https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs>



This intent message was generated by Chrome Platform Status 
<https://chromestatus.com/>.


Google Logo     
Peter Birk Pakkenberg
Software Engineer
pb...@chromium.org

--
You received this message because you are subscribed to the Google 
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjsq%2BesCrmUEmo5%2BzSUMGw81WmbnoFeL85ajGq2xz5PBGw%40mail.gmail.com 
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjsq%2BesCrmUEmo5%2BzSUMGw81WmbnoFeL85ajGq2xz5PBGw%40mail.gmail.com?utm_medium=email&utm_source=footer>.

--
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e0b42f5f-2d8e-4955-bfc7-e3c7173e35ca%40gmail.com.