Of the 100+ origins that signed up for the trial, do you know if any made progress towards reducing their dependence on this header? Any that no longer need the trial?
On Wed, Mar 27, 2024 at 5:03 PM Daniel Bratell <bratel...@gmail.com> wrote: > This being beyond the normal scope of an extension will require three > LGTMS so here is the first one: > > LGTM1 > > I appreciate that it's not optimal in any way to have something like this > running this long, but I sympathize with the end result and understand that > App developers can need both longer to develop and especially longer to > deploy to all users. That as many as 10k applications have adapted the new > API is a good sign too. > > If I were going to ask for anything else (which might make it easier for > others to approve it), it would be proof that usage is dropping so that we > won't have to extend it again. > > /Daniel > On 2024-03-27 12:15, Peter Birk Pakkenberg wrote: > > Hello Blink-dev. > > I would like to extend the ‘X-Requested-With in WebView Deprecation’ trial > until M138 in line with the premise made below in the Summary below. I am > asking for an extension of 12 milestones instead of the customary 6 > <https://www.chromium.org/blink/launching-features/#deprecation-trial> to > avoid undue churn for the almost 100 origins that have signed up for the > trial, as we expect that it will take at least another year to address the > remaining use cases. > > The feature is currently disabled on 5% of stable traffic, and we have > developed the Android WebView Media Integrity API > <https://android-developers.googleblog.com/2023/11/increasing-trust-for-embedded-media.html> > as a solution for uses of the header for media content providers. We have > also launched an Android API for app developers to enable the header for > select origins > <https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)> > which has been adopted by almost 10k applications so far. This is an > alternative available to Android apps that only display Web content they > trust. We are still looking to address further use cases in the anti-abuse > and anti-fraud space before we can fully disable the header. > > > Contact emails > > pb...@google.com > > Explainer > > None > > Specification > > None > > Summary > > Removes the default X-Requested-With header from HTTP requests made by > WebView. > > The X-Requested-With header is set by WebView, with the package name of > the embedding apk as the value. This use of the header will be discontinued. > > Developers who rely on this header can sign up for a deprecation origin > trial [1] to continue to receive the header during the deprecation period. > > The deprecation origin trial will be extended until replacement APIs are > available to address use cases of the header, as explained in this Android > Developer Blog Post [2] > > [1]: > https://developer.chrome.com/origintrials/#/view_trial/1390486384950640641 > > [2]: > https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html > > > Blink component > > Mobile>WebView > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> > > Search tags > > Headers <https://chromestatus.com/features#tags:Headers> > > TAG review > > TAG review status > > Not applicable > > Chromium Trial Name > > WebViewXRequestedWithDeprecation > > Link to origin trial feedback summary > > > https://docs.google.com/document/d/e/2PACX-1vR-ZraJ4sDSGpo2mhye1c2Z1HOl8ZqQ2iDnT2TCQ-Mj1cS1_-2OzN0OeV0Ctayu9Sm6XejgZmwXVDqE/pub > > > Origin Trial documentation link > > > https://docs.google.com/document/d/e/2PACX-1vSSTEsHVfTXwOW80Tqy4c5TW6wSnt9b8v7-ZWUF3ZqLDs03EatEuyPCqwaUaa2s0a7mFm3Wh61bgVoz/pub > > Risks > > Interoperability and Compatibility > > Gecko: N/A > > WebKit: N/A > > Web developers: The X-Requested-With header is widely used for both > anti-fraud and application allowlisting use cases, despite its inherent > unreliability. These web services are concerned about the removal of the > header without replacement technologies to facilitate their current reasons > for consuming the header. > > Other signals: > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > This feature removes a header sent by default by WebView. It should have > no direct impact on applications using WebViews, but sites loaded in the > WebView will no longer receive the X-Requested-With header unless the app > explicitly allowlist the site[1] to receive the header or the site > participates in the deprecation trial. > > [1]: > https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E) > > > Debuggability > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? > > No > > Flag name on chrome://flags > > None > > Finch feature name > > WebViewXRequestedWithHeaderControl > > Non-finch justification > > None > > Requires code in //chrome? > > False > > Tracking bug > > https://crbug.com/960720 > > Launch bug > > https://launch.corp.google.com/launch/4136516 > > Estimated milestones > > DevTrial on Android > > 109 > > Shipping on WebView > > 114 > > OriginTrial webView last > > 138 > > OriginTrial webView first > > 110 > > > > Link to entry on the Chrome Platform Status > > https://chromestatus.com/feature/5160086884843520 > > Links to previous Intent discussions > > Intent to Experiment: > https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs > > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > > [image: Google Logo] > Peter Birk Pakkenberg > Software Engineer > pb...@chromium.org > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjsq%2BesCrmUEmo5%2BzSUMGw81WmbnoFeL85ajGq2xz5PBGw%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjsq%2BesCrmUEmo5%2BzSUMGw81WmbnoFeL85ajGq2xz5PBGw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e0b42f5f-2d8e-4955-bfc7-e3c7173e35ca%40gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e0b42f5f-2d8e-4955-bfc7-e3c7173e35ca%40gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohS%2BZiJyuU-Vug8T0Xg_QLcZDt%3DYuX2rgxoFmtfjHx%2BHgkw%40mail.gmail.com.
