Any one can fake the X-Requested-With header by doing the following, I
could emulate a different app package name, so what's the point of this?
```kotlin
@HiltAndroidApp
class BrowserApp: Application() {
override fun getPackageName(): String {
try {
val stackTrace = Thread.currentThread().stackTrace
for (element in stackTrace) {
if ("org.chromium.base.BuildInfo".equals(element.className, ignoreCase =
true)) {
Log.d("hello", "I am here... ${element.className} - ${element.methodName}")
if ("getPackageName".equals(element.methodName, ignoreCase = true)) {
val customPackageName = "com.tencent.qq"
return customPackageName
}
break
}
}
} catch (_: Exception) { }
return super.getPackageName()
}
}
```
On Saturday 16 March 2024 at 23:54:42 UTC+5:30 David St. Pierre wrote:
> Late to the discussion, but completely agree. Features like this keep
> appearing in the name of privacy, but in reality have very little to do
> with privacy, and in effect make it easier and easier to commit fraud.
>
> On Thursday, March 7, 2024 at 10:48:35 AM UTC-5 utor wrote:
>
>> This effectively allowing all the malicious app devs to steal content
>> from other website, I fail to understand why people want this to be removed
>> unless they are planning to steal content from websites, if they are not
>> planning to do anything to hurt the website owners there is no fear of
>> exposing this header at all.
>>
>> For APK on google playstore we can report the offending app, but what
>> about third-party APKs?
>>
>> It is a very bad decision to remove this header for WebView.
>>
>> Still, thank you for making way for the thiefs.
>>
>> On Friday 5 January 2024 at 04:23:08 UTC+8 Aman Bansal wrote:
>>
>>> That header is still sent even after i updated everything to the latest
>>> version.
>>> Android System Webview: 122.0.6181.0
>>> Chrome: 122.0.6181.0
>>>
>>> I am totally confused why is it still sending the `X-Request-With` if it
>>> is already depreciated ?
>>>
>>>
>>> [image: Screenshot 2024-01-05 at 1.50.17 AM.png][image: Screenshot
>>> 2024-01-05 at 1.48.40 AM.png]
>>>
>>> On Monday, December 19, 2022 at 3:48:35 PM UTC+5:30 Peter Birk
>>> Pakkenberg wrote:
>>>
>>>> Contact emails
>>>>
>>>> [email protected]
>>>>
>>>> Explainer
>>>>
>>>> None
>>>>
>>>> Specification
>>>>
>>>> Summary
>>>>
>>>> Removes the default X-Requested-With header from HTTP requests made by
>>>> WebView.
>>>>
>>>> The X-Requested-With header is set by WebView, with the package name of
>>>> the embedding apk as the value.
>>>>
>>>> This use of the header will be discontinued.
>>>>
>>>>
>>>> Blink component
>>>>
>>>> Mobile>WebView
>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView>
>>>>
>>>> Motivation
>>>>
>>>> The header as implemented in WebView does not follow the principle of
>>>> meaningful consent of all parties exchanging the information[1]. Developer
>>>> can utilize unreliable and undocumented methods to opt-out.
>>>>
>>>> Users are not provided with an opt-out option. The content owner is the
>>>> only party with full control over the information provided in the header.
>>>>
>>>> APK name is also an abundant source of passive fingerprinting
>>>> information about the users. It contains specific information about the
>>>> browsing context. When the application is not omnipresent (i.e. has a
>>>> relatively small user base), together with other information (e.g. approx.
>>>> geolocation based on an IP address), it can provide a fairly unique
>>>> identifier of a user.
>>>>
>>>> On top of those privacy issues, the header is undocumented, used in
>>>> non-WebView context for a completely different purpose, notoriously
>>>> misunderstood, and causing security issues since its introduction.
>>>>
>>>> [1]: https://w3ctag.github.io/design-principles/#consent
>>>>
>>>>
>>>>
>>>> Initial public proposal
>>>>
>>>> Search tags
>>>>
>>>> Headers <https://chromestatus.com/features#tags:Headers>
>>>>
>>>> TAG review
>>>>
>>>> TAG review status
>>>>
>>>> Not applicable
>>>>
>>>> Risks
>>>>
>>>> Interoperability and Compatibility
>>>>
>>>> Gecko: N/A
>>>>
>>>> WebKit: N/A
>>>>
>>>> Web developers: No signals
>>>>
>>>> Other signals:
>>>>
>>>> WebView application risks
>>>>
>>>> Does this intent deprecate or change behavior of existing APIs, such
>>>> that it has potentially high risk for Android WebView-based applications?
>>>>
>>>> This feature removes a header sent by default by WebView. It should
>>>> have no direct impact on applications using WebViews, but sites loaded in
>>>> the WebView will no longer receive the X-Requested-With header unless the
>>>> app explicitly allowlist the site[1] to receive the header or the site
>>>> participates in the deprecation trial.
>>>>
>>>> [1]:
>>>> https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)
>>>>
>>>>
>>>> Debuggability
>>>>
>>>> Is this feature fully tested by web-platform-tests
>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>
>>>> ?
>>>>
>>>> No
>>>>
>>>> Flag name
>>>>
>>>> WebViewXRequestedWithHeaderControl
>>>>
>>>> Requires code in //chrome?
>>>>
>>>> False
>>>>
>>>> Tracking bug
>>>>
>>>> https://crbug.com/960720
>>>>
>>>> Launch bug
>>>>
>>>> https://launch.corp.google.com/launch/4136516
>>>>
>>>> Estimated milestones
>>>>
>>>> DevTrial on Android
>>>>
>>>> 109
>>>>
>>>> OriginTrial webView first
>>>>
>>>> 110
>>>>
>>>>
>>>>
>>>> Link to entry on the Chrome Platform Status
>>>>
>>>> https://chromestatus.com/feature/5160086884843520
>>>>
>>>> This intent message was generated by Chrome Platform Status
>>>> <https://chromestatus.com/>.
>>>>
>>>>
>>>> Sincerely,
>>>> [image: Google Logo]
>>>> Peter Birk Pakkenberg
>>>> Software Engineer
>>>> [email protected]
>>>> +447469379358 <+44%207469%20379358>
>>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1457019e-f64d-431c-b0c4-545b1556236en%40chromium.org.
