Contact emails [email protected]
Explainer Android Developer Blog post <https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html> Summary Removes the default X-Requested-With header from HTTP requests made by WebView. The X-Requested-With header is set by WebView, with the package name of the embedding apk as the value. This use of the header will be discontinued. Developers who rely on this header can sign up for a deprecation origin trial <https://developer.chrome.com/origintrials/#/view_trial/1390486384950640641> to continue to receive the header during the deprecation period. The deprecation origin trial will be extended until replacement APIs are available to address use cases of the header, as explained in this Android Developer Blog post <https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html> . The roll-out of this removal will be slower than usual. See “Estimated milestones” below. Blink component Mobile>WebView <https://bugs.chromium.org/p/chromium/issues/list?q=component:Mobile%3EWebView> Search tags Headers <https://chromestatus.com/features#tags:Headers> TAG review TAG review status Not applicable Risks Interoperability and Compatibility Gecko: N/A WebKit: N/A Web developers: No signals Other signals: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? This feature removes a header sent by default by WebView. It should have no direct impact on applications using WebViews, but sites loaded in the WebView will no longer receive the X-Requested-With header unless the app explicitly allowlist the site <https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)> to receive the header or the site participates in the deprecation trial. Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? No WebView-only feature being deprecated Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? No - WebView is not covered by Web Platform Tests. Flag name WebViewXRequestedWithHeaderControl Requires code in //chrome? False Tracking bug https://crbug.com/960720 Estimated milestones - Roll-out in M111 beta (up to 50%) - Roll-out in M112 stable (up to 1%) - Roll-out to M113 stable (up to 5%) Further roll-out to be assessed based on developer input and feedback, considering that people might need time to adopt the OT. While we have announced the change through public developer communications and direct outreach to several partners, receiving mostly positive or neutral feedback, we expect that negative impacts, if any, will be more visible at 1% and 5% of stable traffic. We may want to allow more time to adopt the deprecation trial before continuing to ramp up. Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5160086884843520 Links to previous Intent discussions Intent to Deprecate: https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. Sincerely, [image: Google Logo] Peter Birk Pakkenberg Software Engineer [email protected] -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com.
