This being beyond the normal scope of an extension will require three
LGTMS so here is the first one:
LGTM1
I appreciate that it's not optimal in any way to have something like
this running this long, but I sympathize with the end result and
understand that App developers can need both longer to develop and
especially longer to deploy to all users. That as many as 10k
applications have adapted the new API is a good sign too.
If I were going to ask for anything else (which might make it easier for
others to approve it), it would be proof that usage is dropping so that
we won't have to extend it again.
/Daniel
On 2024-03-27 12:15, Peter Birk Pakkenberg wrote:
Hello Blink-dev.
I would like to extend the ‘X-Requested-With in WebView Deprecation’
trial until M138 in line with the premise made below in the Summary
below. I am asking for an extension of 12 milestones instead of the
customary 6
<https://www.chromium.org/blink/launching-features/#deprecation-trial>to
avoid undue churn for the almost 100 origins that have signed up for
the trial, as we expect that it will take at least another year to
address the remaining use cases.
The feature is currently disabled on 5% of stable traffic, and we have
developed the Android WebView Media Integrity API
<https://android-developers.googleblog.com/2023/11/increasing-trust-for-embedded-media.html>as
a solution for uses of the header for media content providers. We have
also launched an Android API for app developers to enable the header
for select origins
<https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)>which
has been adopted by almost 10k applications so far. This is an
alternative available to Android apps that only display Web content
they trust. We are still looking to address further use cases in the
anti-abuse and anti-fraud space before we can fully disable the header.
Contact emails
pb...@google.com
Explainer
None
Specification
None
Summary
Removes the default X-Requested-With header from HTTP requests made by
WebView.
The X-Requested-With header is set by WebView, with the package name
of the embedding apk as the value. This use of the header will be
discontinued.
Developers who rely on this header can sign up for a deprecation
origin trial [1] to continue to receive the header during the
deprecation period.
The deprecation origin trial will be extended until replacement APIs
are available to address use cases of the header, as explained in this
Android Developer Blog Post [2]
[1]:https://developer.chrome.com/origintrials/#/view_trial/1390486384950640641
<https://developer.chrome.com/origintrials/#/view_trial/1390486384950640641>
[2]:https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html
<https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html>
Blink component
Mobile>WebView
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView>
Search tags
Headers <https://chromestatus.com/features#tags:Headers>
TAG review
TAG review status
Not applicable
Chromium Trial Name
WebViewXRequestedWithDeprecation
Link to origin trial feedback summary
https://docs.google.com/document/d/e/2PACX-1vR-ZraJ4sDSGpo2mhye1c2Z1HOl8ZqQ2iDnT2TCQ-Mj1cS1_-2OzN0OeV0Ctayu9Sm6XejgZmwXVDqE/pub
<https://docs.google.com/document/d/e/2PACX-1vR-ZraJ4sDSGpo2mhye1c2Z1HOl8ZqQ2iDnT2TCQ-Mj1cS1_-2OzN0OeV0Ctayu9Sm6XejgZmwXVDqE/pub>
Origin Trial documentation link
https://docs.google.com/document/d/e/2PACX-1vSSTEsHVfTXwOW80Tqy4c5TW6wSnt9b8v7-ZWUF3ZqLDs03EatEuyPCqwaUaa2s0a7mFm3Wh61bgVoz/pub
<https://docs.google.com/document/d/e/2PACX-1vSSTEsHVfTXwOW80Tqy4c5TW6wSnt9b8v7-ZWUF3ZqLDs03EatEuyPCqwaUaa2s0a7mFm3Wh61bgVoz/pub>
Risks
Interoperability and Compatibility
Gecko: N/A
WebKit: N/A
Web developers: The X-Requested-With header is widely used for both
anti-fraud and application allowlisting use cases, despite its
inherent unreliability. These web services are concerned about the
removal of the header without replacement technologies to facilitate
their current reasons for consuming the header.
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such
that it has potentially high risk for Android WebView-based applications?
This feature removes a header sent by default by WebView. It should
have no direct impact on applications using WebViews, but sites loaded
in the WebView will no longer receive the X-Requested-With header
unless the app explicitly allowlist the site[1] to receive the header
or the site participates in the deprecation trial.
[1]:https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)
<https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)>
Debuggability
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
No
Flag name on chrome://flags
None
Finch feature name
WebViewXRequestedWithHeaderControl
Non-finch justification
None
Requires code in //chrome?
False
Tracking bug
https://crbug.com/960720 <https://crbug.com/960720>
Launch bug
https://launch.corp.google.com/launch/4136516
<https://launch.corp.google.com/launch/4136516>
Estimated milestones
DevTrial on Android
109
Shipping on WebView
114
OriginTrial webView last
138
OriginTrial webView first
110
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5160086884843520
<https://chromestatus.com/feature/5160086884843520>
Links to previous Intent discussions
Intent to Experiment:
https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs
<https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs>
This intent message was generated by Chrome Platform Status
<https://chromestatus.com/>.
Google Logo
Peter Birk Pakkenberg
Software Engineer
pb...@chromium.org
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjsq%2BesCrmUEmo5%2BzSUMGw81WmbnoFeL85ajGq2xz5PBGw%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjsq%2BesCrmUEmo5%2BzSUMGw81WmbnoFeL85ajGq2xz5PBGw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e0b42f5f-2d8e-4955-bfc7-e3c7173e35ca%40gmail.com.