I'm assuming you are mostly talking about fraud on ads that use the WebView? Feels like that should be controlled at the ad network level, they control their own WebView's so they can force the header to be sent.
Also as far as I know, iOS doesn't send this header, so I'm not sure why Android needs it? On Monday, September 8, 2025 at 8:52:30 AM UTC-5 Carlos Solorzano wrote: > Sorry if this is not the right place to ask but I'm curious what the > status of this is? I'm on WebView 141 and it is still sending the > X-Requested-With header. > > On Wednesday, April 19, 2023 at 2:55:38 PM UTC-5 Chris Harrelson wrote: > >> LGTM3 >> >> On Wed, Apr 12, 2023 at 1:14 AM Peter Birk Pakkenberg <[email protected]> >> wrote: >> >>> Thank you Mike and Yoav, >>> >>> Can I get a third LGTM to let me proceed to a 1% roll-out on stable? >>> >>> >>> Sincerely, >>> [image: Google Logo] >>> Peter Birk Pakkenberg >>> Software Engineer >>> [email protected] >>> >>> >>> On Fri, 7 Apr 2023 at 12:05, Yoav Weiss <[email protected]> wrote: >>> >>>> LGTM2 >>>> >>>> It seems like there's no way for us to know who relies on this without >>>> trying the removal and finding out. Slow and careful rollout makes sense >>>> in >>>> that case. >>>> >>>> On Wed, Apr 5, 2023 at 8:58 PM Mike Taylor <[email protected]> >>>> wrote: >>>> >>>>> Apologies Peter, this intent fell off the radar of our tooling. >>>>> >>>>> LGTM1 to proceed with the outlined plan. Thanks for creating a >>>>> deprecation trial and blogging about it. >>>>> On 4/5/23 1:07 PM, Peter Birk Pakkenberg wrote: >>>>> >>>>> Hello blink-dev@ >>>>> >>>>> Are there any objections or questions about starting the removal of >>>>> this header? >>>>> >>>>> If not, I would appreciate LGTM's to let me proceed with a 1% stable >>>>> roll-out in M112. >>>>> >>>>> Sincerely, >>>>> [image: Google Logo] >>>>> Peter Birk Pakkenberg >>>>> Software Engineer >>>>> [email protected] >>>>> >>>>> >>>>> On Thu, 30 Mar 2023 at 16:17, Peter Birk Pakkenberg < >>>>> [email protected]> wrote: >>>>> >>>>>> Hello blink-dev@ >>>>>> >>>>>> Are there any objections to start shipping this feature in M112? >>>>>> >>>>>> Sincerely, >>>>>> [image: Google Logo] >>>>>> Peter Birk Pakkenberg >>>>>> Software Engineer >>>>>> [email protected] >>>>>> >>>>>> >>>>>> On Wed, 15 Mar 2023 at 14:24, Peter Birk Pakkenberg < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi Mike, >>>>>>> >>>>>>> We plan to keep the setRequestedWithHeaderOriginAllowList API for >>>>>>> the duration of the XRW origin trial, but have not made any decisions >>>>>>> beyond that at this point in either direction. >>>>>>> >>>>>>> Sincerely, >>>>>>> [image: Google Logo] >>>>>>> Peter Birk Pakkenberg >>>>>>> Software Engineer >>>>>>> [email protected] >>>>>>> >>>>>>> >>>>>>> On Mon, 13 Mar 2023 at 14:41, Mike Taylor <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> On 3/13/23 9:11 AM, Peter Birk Pakkenberg wrote: >>>>>>>> >>>>>>>> Contact emails >>>>>>>> >>>>>>>> [email protected] >>>>>>>> >>>>>>>> Explainer >>>>>>>> >>>>>>>> Android Developer Blog post >>>>>>>> <https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html> >>>>>>>> >>>>>>>> Summary >>>>>>>> >>>>>>>> Removes the default X-Requested-With header from HTTP requests made >>>>>>>> by WebView. >>>>>>>> >>>>>>>> The X-Requested-With header is set by WebView, with the package >>>>>>>> name of the embedding apk as the value. >>>>>>>> >>>>>>>> This use of the header will be discontinued. >>>>>>>> >>>>>>>> Developers who rely on this header can sign up for a deprecation >>>>>>>> origin trial >>>>>>>> <https://developer.chrome.com/origintrials/#/view_trial/1390486384950640641> >>>>>>>> >>>>>>>> to continue to receive the header during the deprecation period. >>>>>>>> >>>>>>>> The deprecation origin trial will be extended until replacement >>>>>>>> APIs are available to address use cases of the header, as explained in >>>>>>>> this Android >>>>>>>> Developer Blog post >>>>>>>> <https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html> >>>>>>>> . >>>>>>>> >>>>>>>> The roll-out of this removal will be slower than usual. See >>>>>>>> “Estimated milestones” below. >>>>>>>> >>>>>>>> Blink component >>>>>>>> >>>>>>>> Mobile>WebView >>>>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> >>>>>>>> >>>>>>>> Search tags >>>>>>>> >>>>>>>> Headers <https://chromestatus.com/features#tags:Headers> >>>>>>>> >>>>>>>> TAG review >>>>>>>> >>>>>>>> TAG review status >>>>>>>> >>>>>>>> Not applicable >>>>>>>> >>>>>>>> Risks >>>>>>>> >>>>>>>> Interoperability and Compatibility >>>>>>>> >>>>>>>> Gecko: N/A >>>>>>>> >>>>>>>> WebKit: N/A >>>>>>>> >>>>>>>> Web developers: No signals >>>>>>>> >>>>>>>> Other signals: >>>>>>>> >>>>>>>> WebView application risks >>>>>>>> >>>>>>>> Does this intent deprecate or change behavior of existing APIs, >>>>>>>> such that it has potentially high risk for Android WebView-based >>>>>>>> applications? >>>>>>>> >>>>>>>> This feature removes a header sent by default by WebView. It should >>>>>>>> have no direct impact on applications using WebViews, but sites loaded >>>>>>>> in >>>>>>>> the WebView will no longer receive the X-Requested-With header unless >>>>>>>> the >>>>>>>> app explicitly allowlist the site >>>>>>>> <https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)> >>>>>>>> >>>>>>>> to receive the header or the site participates in the deprecation >>>>>>>> trial. >>>>>>>> >>>>>>>> Do you expect to deprecate setRequestedWithHeaderOriginAllowList at >>>>>>>> some future point? >>>>>>>> >>>>>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>>>>> Mac, Linux, Chrome OS, Android, and Android WebView)? >>>>>>>> >>>>>>>> No >>>>>>>> >>>>>>>> WebView-only feature being deprecated >>>>>>>> >>>>>>>> >>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>>>>> ? >>>>>>>> >>>>>>>> No - WebView is not covered by Web Platform Tests. >>>>>>>> >>>>>>>> Flag name >>>>>>>> >>>>>>>> WebViewXRequestedWithHeaderControl >>>>>>>> >>>>>>>> Requires code in //chrome? >>>>>>>> >>>>>>>> False >>>>>>>> >>>>>>>> Tracking bug >>>>>>>> >>>>>>>> https://crbug.com/960720 >>>>>>>> >>>>>>>> Estimated milestones >>>>>>>> >>>>>>>> - >>>>>>>> >>>>>>>> Roll-out in M111 beta (up to 50%) >>>>>>>> - >>>>>>>> >>>>>>>> Roll-out in M112 stable (up to 1%) >>>>>>>> - >>>>>>>> >>>>>>>> Roll-out to M113 stable (up to 5%) >>>>>>>> >>>>>>>> Further roll-out to be assessed based on developer input and >>>>>>>> feedback, considering that people might need time to adopt the OT. >>>>>>>> >>>>>>>> While we have announced the change through public developer >>>>>>>> communications and direct outreach to several partners, receiving >>>>>>>> mostly >>>>>>>> positive or neutral feedback, we expect that negative impacts, if any, >>>>>>>> will >>>>>>>> be more visible at 1% and 5% of stable traffic. We may want to allow >>>>>>>> more >>>>>>>> time to adopt the deprecation trial before continuing to ramp up. >>>>>>>> >>>>>>>> This looks like a reasonable, conservative rollout plan, thanks. >>>>>>>> >>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>> >>>>>>>> https://chromestatus.com/feature/5160086884843520 >>>>>>>> >>>>>>>> Links to previous Intent discussions >>>>>>>> >>>>>>>> Intent to Deprecate: >>>>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs >>>>>>>> >>>>>>>> >>>>>>>> This intent message was generated by Chrome Platform Status >>>>>>>> <https://chromestatus.com/>. >>>>>>>> >>>>>>>> >>>>>>>> Sincerely, >>>>>>>> [image: Google Logo] >>>>>>>> Peter Birk Pakkenberg >>>>>>>> Software Engineer >>>>>>>> [email protected] >>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "blink-dev" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com >>>>>>>> >>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/63373d78-6db4-e974-2451-24fad35903da%40chromium.org >>>>> >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/63373d78-6db4-e974-2451-24fad35903da%40chromium.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuUBd_9qULnJyumjR7ye_DRQcv_oULzPJpx8TQ_aLWOWA%40mail.gmail.com >>> >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuUBd_9qULnJyumjR7ye_DRQcv_oULzPJpx8TQ_aLWOWA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c5589502-bf4e-4cc5-859c-b90b2ee9b55an%40chromium.org.
