LGTM3
On 4/4/24 10:24 AM, Yoav Weiss (@Shopify) wrote:
LGTM2 to continue the Deprecation Trial until M138.
Thanks for pushing this through! It'd be great if by the time this
trial expires we'd have a clearer picture of the required replacement
mechanisms and some momentum for moving trial participants off to them.
On Thu, Apr 4, 2024 at 3:21 PM Peter Birk Pakkenberg
<pb...@chromium.org> wrote:
Hi Yoav,
The X-Requested-With header exposes the app package name of the
embedding application on all HTTP requests made from WebView. The
header value is not signed, and can be changed either by web
content loaded in the WebView, or by the host app, through various
well known methods.
Media content providers have been using this information in an
effort to help identify abuse and fraud, and the WebView Media
Integrity API has been developed to be a more direct fit for these
use cases.
We are working with the remaining OT participants to determine
what, if any, further solutions are needed for their use cases of
the header.
Sincerely,
Google Logo
Peter Birk Pakkenberg
Software Engineer
pb...@chromium.org
On Wed, 3 Apr 2024 at 11:06, Yoav Weiss (@Shopify)
<yoavwe...@chromium.org> wrote:
On Thursday, March 28, 2024 at 12:53:04 PM UTC+1 Peter
Pakkenberg wrote:
Hi Yoav,
A number of large websites are working on adopting the new
WebView Media Integrity API as an alternative
Can you elaborate on the connection between the two? Are there
overlapping use cases?
I guess I'm missing context on what information is currently
exposed with X-Requested-With..
, however, that said, other websites have expressed
hesitancy to move away from using the header, citing the
lack of alternative signals that solve their more precise
use cases.
So in order for those websites to move away from the header's
use, we'd need to ship another alternative API? Is this being
worked on?
Looking at the signed up origins, it appears that the
usage of the header is quite unevenly distributed, and we
are working directly with the largest users to reduce usage.
Sincerely,
Google LogoPeter Birk PakkenbergSoftware
engineerpb...@chromium.org
On Thu, 28 Mar 2024 at 08:40, Yoav Weiss (@Shopify)
<yoavwe...@chromium.org> wrote:
Of the 100+ origins that signed up for the trial, do
you know if any made progress towards reducing their
dependence on this header? Any that no longer need the
trial?
On Wed, Mar 27, 2024 at 5:03 PM Daniel Bratell
<bratel...@gmail.com> wrote:
This being beyond the normal scope of an extension
will require three LGTMS so here is the first one:
LGTM1
I appreciate that it's not optimal in any way to
have something like this running this long, but I
sympathize with the end result and understand that
App developers can need both longer to develop and
especially longer to deploy to all users. That as
many as 10k applications have adapted the new API
is a good sign too.
If I were going to ask for anything else (which
might make it easier for others to approve it), it
would be proof that usage is dropping so that we
won't have to extend it again.
/Daniel
On 2024-03-27 12:15, Peter Birk Pakkenberg wrote:
Hello Blink-dev.
I would like to extend the ‘X-Requested-With in
WebView Deprecation’ trial until M138 in line
with the premise made below in the Summary below.
I am asking for an extension of 12 milestones
instead of the customary 6
<https://www.chromium.org/blink/launching-features/#deprecation-trial>to
avoid undue churn for the almost 100 origins that
have signed up for the trial, as we expect that
it will take at least another year to address the
remaining use cases.
The feature is currently disabled on 5% of stable
traffic, and we have developed the Android
WebView Media Integrity API
<https://android-developers.googleblog.com/2023/11/increasing-trust-for-embedded-media.html>as
a solution for uses of the header for media
content providers. We have also launched an
Android API for app developers to enable the
header for select origins
<https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)>which
has been adopted by almost 10k applications so
far. This is an alternative available to Android
apps that only display Web content they trust. We
are still looking to address further use cases in
the anti-abuse and anti-fraud space before we can
fully disable the header.
Contact emails
pb...@google.com
Explainer
None
Specification
None
Summary
Removes the default X-Requested-With header from
HTTP requests made by WebView.
The X-Requested-With header is set by WebView,
with the package name of the embedding apk as the
value. This use of the header will be discontinued.
Developers who rely on this header can sign up
for a deprecation origin trial [1] to continue to
receive the header during the deprecation period.
The deprecation origin trial will be extended
until replacement APIs are available to address
use cases of the header, as explained in this
Android Developer Blog Post [2]
[1]:https://developer.chrome.com/origintrials/#/view_trial/1390486384950640641
<https://developer.chrome.com/origintrials/#/view_trial/1390486384950640641>
[2]:https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html
<https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html>
Blink component
Mobile>WebView
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView>
Search tags
Headers
<https://chromestatus.com/features#tags:Headers>
TAG review
TAG review status
Not applicable
Chromium Trial Name
WebViewXRequestedWithDeprecation
Link to origin trial feedback summary
https://docs.google.com/document/d/e/2PACX-1vR-ZraJ4sDSGpo2mhye1c2Z1HOl8ZqQ2iDnT2TCQ-Mj1cS1_-2OzN0OeV0Ctayu9Sm6XejgZmwXVDqE/pub
<https://docs.google.com/document/d/e/2PACX-1vR-ZraJ4sDSGpo2mhye1c2Z1HOl8ZqQ2iDnT2TCQ-Mj1cS1_-2OzN0OeV0Ctayu9Sm6XejgZmwXVDqE/pub>
Origin Trial documentation link
https://docs.google.com/document/d/e/2PACX-1vSSTEsHVfTXwOW80Tqy4c5TW6wSnt9b8v7-ZWUF3ZqLDs03EatEuyPCqwaUaa2s0a7mFm3Wh61bgVoz/pub
<https://docs.google.com/document/d/e/2PACX-1vSSTEsHVfTXwOW80Tqy4c5TW6wSnt9b8v7-ZWUF3ZqLDs03EatEuyPCqwaUaa2s0a7mFm3Wh61bgVoz/pub>
Risks
Interoperability and Compatibility
Gecko: N/A
WebKit: N/A
Web developers: The X-Requested-With header is
widely used for both anti-fraud and application
allowlisting use cases, despite its inherent
unreliability. These web services are concerned
about the removal of the header without
replacement technologies to facilitate their
current reasons for consuming the header.
Other signals:
WebView application risks
Does this intent deprecate or change behavior of
existing APIs, such that it has potentially high
risk for Android WebView-based applications?
This feature removes a header sent by default by
WebView. It should have no direct impact on
applications using WebViews, but sites loaded in
the WebView will no longer receive the
X-Requested-With header unless the app explicitly
allowlist the site[1] to receive the header or
the site participates in the deprecation trial.
[1]:https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)
<https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)>
Debuggability
Is this feature fully tested by
web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
No
Flag name on chrome://flags
None
Finch feature name
WebViewXRequestedWithHeaderControl
Non-finch justification
None
Requires code in //chrome?
False
Tracking bug
https://crbug.com/960720 <https://crbug.com/960720>
Launch bug
https://launch.corp.google.com/launch/4136516
<https://launch.corp.google.com/launch/4136516>
Estimated milestones
DevTrial on Android
109
Shipping on WebView
114
OriginTrial webView last
138
OriginTrial webView first
110
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5160086884843520
<https://chromestatus.com/feature/5160086884843520>
Links to previous Intent discussions
Intent to Experiment:
https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs
<https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs>
This intent message was generated by Chrome
Platform Status <https://chromestatus.com/>.
Google Logo Peter Birk Pakkenberg Software
Engineer pb...@chromium.org
--
You received this message because you are
subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
blink-dev+unsubscr...@chromium.org
<mailto:blink-dev+unsubscr...@chromium.org>.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjsq%2BesCrmUEmo5%2BzSUMGw81WmbnoFeL85ajGq2xz5PBGw%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjsq%2BesCrmUEmo5%2BzSUMGw81WmbnoFeL85ajGq2xz5PBGw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are
subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
blink-dev+unsubscr...@chromium.org
<mailto:blink-dev+unsubscr...@chromium.org>.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e0b42f5f-2d8e-4955-bfc7-e3c7173e35ca%40gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e0b42f5f-2d8e-4955-bfc7-e3c7173e35ca%40gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSJ0S5u80FXvDZtN5Gvi1hAfRk8S%3Dvf7Z2yXO0gDW8FULg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSJ0S5u80FXvDZtN5Gvi1hAfRk8S%3Dvf7Z2yXO0gDW8FULg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c148f46c-35a8-4415-85d6-08f3100f7040%40chromium.org.
