LGTM2 to continue the Deprecation Trial until M138. Thanks for pushing this through! It'd be great if by the time this trial expires we'd have a clearer picture of the required replacement mechanisms and some momentum for moving trial participants off to them.
On Thu, Apr 4, 2024 at 3:21 PM Peter Birk Pakkenberg <pb...@chromium.org> wrote: > Hi Yoav, > > The X-Requested-With header exposes the app package name of the embedding > application on all HTTP requests made from WebView. The header value is not > signed, and can be changed either by web content loaded in the WebView, or > by the host app, through various well known methods. > > Media content providers have been using this information in an effort to > help identify abuse and fraud, and the WebView Media Integrity API has been > developed to be a more direct fit for these use cases. > > We are working with the remaining OT participants to determine what, if > any, further solutions are needed for their use cases of the header. > > Sincerely, > [image: Google Logo] > Peter Birk Pakkenberg > Software Engineer > pb...@chromium.org > > > On Wed, 3 Apr 2024 at 11:06, Yoav Weiss (@Shopify) <yoavwe...@chromium.org> > wrote: > >> >> >> On Thursday, March 28, 2024 at 12:53:04 PM UTC+1 Peter Pakkenberg wrote: >> >> Hi Yoav, >> >> A number of large websites are working on adopting the new WebView Media >> Integrity API as an alternative >> >> >> Can you elaborate on the connection between the two? Are there >> overlapping use cases? >> I guess I'm missing context on what information is currently exposed with >> X-Requested-With.. >> >> >> , however, that said, other websites have expressed hesitancy to move >> away from using the header, citing the lack of alternative signals that >> solve their more precise use cases. >> >> >> So in order for those websites to move away from the header's use, we'd >> need to ship another alternative API? Is this being worked on? >> >> >> >> Looking at the signed up origins, it appears that the usage of the header >> is quite unevenly distributed, and we are working directly with the largest >> users to reduce usage. >> >> Sincerely, >> [image: Google Logo]Peter Birk PakkenbergSoftware Engineer >> pb...@chromium.org >> >> On Thu, 28 Mar 2024 at 08:40, Yoav Weiss (@Shopify) < >> yoavwe...@chromium.org> wrote: >> >> Of the 100+ origins that signed up for the trial, do you know if any made >> progress towards reducing their dependence on this header? Any that no >> longer need the trial? >> >> On Wed, Mar 27, 2024 at 5:03 PM Daniel Bratell <bratel...@gmail.com> >> wrote: >> >> This being beyond the normal scope of an extension will require three >> LGTMS so here is the first one: >> >> LGTM1 >> >> I appreciate that it's not optimal in any way to have something like this >> running this long, but I sympathize with the end result and understand that >> App developers can need both longer to develop and especially longer to >> deploy to all users. That as many as 10k applications have adapted the new >> API is a good sign too. >> >> If I were going to ask for anything else (which might make it easier for >> others to approve it), it would be proof that usage is dropping so that we >> won't have to extend it again. >> >> /Daniel >> On 2024-03-27 12:15, Peter Birk Pakkenberg wrote: >> >> Hello Blink-dev. >> >> I would like to extend the ‘X-Requested-With in WebView Deprecation’ >> trial until M138 in line with the premise made below in the Summary below. >> I am asking for an extension of 12 milestones instead of the customary 6 >> <https://www.chromium.org/blink/launching-features/#deprecation-trial> >> to avoid undue churn for the almost 100 origins that have signed up for the >> trial, as we expect that it will take at least another year to address the >> remaining use cases. >> >> The feature is currently disabled on 5% of stable traffic, and we have >> developed the Android WebView Media Integrity API >> <https://android-developers.googleblog.com/2023/11/increasing-trust-for-embedded-media.html> >> as a solution for uses of the header for media content providers. We have >> also launched an Android API for app developers to enable the header for >> select origins >> <https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)> >> which has been adopted by almost 10k applications so far. This is an >> alternative available to Android apps that only display Web content they >> trust. We are still looking to address further use cases in the anti-abuse >> and anti-fraud space before we can fully disable the header. >> >> >> Contact emails >> >> pb...@google.com >> >> Explainer >> >> None >> >> Specification >> >> None >> >> Summary >> >> Removes the default X-Requested-With header from HTTP requests made by >> WebView. >> >> The X-Requested-With header is set by WebView, with the package name of >> the embedding apk as the value. This use of the header will be discontinued. >> >> Developers who rely on this header can sign up for a deprecation origin >> trial [1] to continue to receive the header during the deprecation period. >> >> The deprecation origin trial will be extended until replacement APIs are >> available to address use cases of the header, as explained in this Android >> Developer Blog Post [2] >> >> [1]: https://developer.chrome.com/origintrials/#/view_trial/ >> 1390486384950640641 >> >> [2]: https://android-developers.googleblog.com/2023/02/ >> improving-user-privacy-by-requiring-opt-in-to-send-x- >> requested-wih-header-from-webview.html >> >> >> Blink component >> >> Mobile>WebView >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> >> >> Search tags >> >> Headers <https://chromestatus.com/features#tags:Headers> >> >> TAG review >> >> TAG review status >> >> Not applicable >> >> Chromium Trial Name >> >> WebViewXRequestedWithDeprecation >> >> Link to origin trial feedback summary >> >> https://docs.google.com/document/d/e/2PACX-1vR- >> ZraJ4sDSGpo2mhye1c2Z1HOl8ZqQ2iDnT2TCQ-Mj1cS1_- >> 2OzN0OeV0Ctayu9Sm6XejgZmwXVDqE/pub >> >> >> Origin Trial documentation link >> >> https://docs.google.com/document/d/e/2PACX-1vSSTEsHVfTXwOW80Tqy4c5TW6wSnt >> 9b8v7-ZWUF3ZqLDs03EatEuyPCqwaUaa2s0a7mFm3Wh61bgVoz/pub >> >> Risks >> >> Interoperability and Compatibility >> >> Gecko: N/A >> >> WebKit: N/A >> >> Web developers: The X-Requested-With header is widely used for both >> anti-fraud and application allowlisting use cases, despite its inherent >> unreliability. These web services are concerned about the removal of the >> header without replacement technologies to facilitate their current reasons >> for consuming the header. >> >> Other signals: >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> This feature removes a header sent by default by WebView. It should have >> no direct impact on applications using WebViews, but sites loaded in the >> WebView will no longer receive the X-Requested-With header unless the app >> explicitly allowlist the site[1] to receive the header or the site >> participates in the deprecation trial. >> >> [1]: https://developer.android.com/reference/androidx/webkit/ >> WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit. >> WebSettings,java.util.Set%3Cjava.lang.String%3E) >> >> >> Debuggability >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? >> >> No >> >> Flag name on chrome://flags >> >> None >> >> Finch feature name >> >> WebViewXRequestedWithHeaderControl >> >> Non-finch justification >> >> None >> >> Requires code in //chrome? >> >> False >> >> Tracking bug >> >> https://crbug.com/960720 >> >> Launch bug >> >> https://launch.corp.google.com/launch/4136516 >> >> Estimated milestones >> >> DevTrial on Android >> >> 109 >> >> Shipping on WebView >> >> 114 >> >> OriginTrial webView last >> >> 138 >> >> OriginTrial webView first >> >> 110 >> >> >> >> Link to entry on the Chrome Platform Status >> >> https://chromestatus.com/feature/5160086884843520 >> >> Links to previous Intent discussions >> >> Intent to Experiment: https://groups.google.com/a/ >> chromium.org/g/blink-dev/c/k9HL9muJPxs >> >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> >> [image: Google Logo] Peter Birk Pakkenberg Software Engineer >> pb...@chromium.org >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit https://groups.google.com/a/ >> chromium.org/d/msgid/blink-dev/CACvTYjsq%2BesCrmUEmo5% >> 2BzSUMGw81WmbnoFeL85ajGq2xz5PBGw%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjsq%2BesCrmUEmo5%2BzSUMGw81WmbnoFeL85ajGq2xz5PBGw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit https://groups.google.com/a/ >> chromium.org/d/msgid/blink-dev/e0b42f5f-2d8e-4955-bfc7- >> e3c7173e35ca%40gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e0b42f5f-2d8e-4955-bfc7-e3c7173e35ca%40gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSJ0S5u80FXvDZtN5Gvi1hAfRk8S%3Dvf7Z2yXO0gDW8FULg%40mail.gmail.com.
