Intent to Ship: Removal of X-Requested-With in WebView
Peter Birk Pakkenberg
Contact emails
Explainer
Summary
Removes the default X-Requested-With header from HTTP requests made by WebView.
The X-Requested-With header is set by WebView, with the package name of the embedding apk as the value.
This use of the header will be discontinued.
Developers who rely on this header can sign up for a deprecation origin trial to continue to receive the header during the deprecation period.
The deprecation origin trial will be extended until replacement APIs are available to address use cases of the header, as explained in this Android Developer Blog post.
The roll-out of this removal will be slower than usual. See “Estimated milestones” below.
Blink component
Search tags
TAG review
TAG review status
Not applicable
Risks
Interoperability and Compatibility
Gecko: N/A
WebKit: N/A
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
This feature removes a header sent by default by WebView. It should have no direct impact on applications using WebViews, but sites loaded in the WebView will no longer receive the X-Requested-With header unless the app explicitly allowlist the site to receive the header or the site participates in the deprecation trial.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
No
WebView-only feature being deprecated
Is this feature fully tested by web-platform-tests?
No - WebView is not covered by Web Platform Tests.
Flag name
WebViewXRequestedWithHeaderControl
Requires code in //chrome?
False
Tracking bug
Estimated milestones
Roll-out in M111 beta (up to 50%)
Roll-out in M112 stable (up to 1%)
Roll-out to M113 stable (up to 5%)
Further roll-out to be assessed based on developer input and feedback, considering that people might need time to adopt the OT.
While we have announced the change through public developer communications and direct outreach to several partners, receiving mostly positive or neutral feedback, we expect that negative impacts, if any, will be more visible at 1% and 5% of stable traffic. We may want to allow more time to adopt the deprecation trial before continuing to ramp up.
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5160086884843520
Links to previous Intent discussions
Intent to Deprecate: https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs
This intent message was generated by Chrome Platform Status.
 |
| ||||||
Mike Taylor
Do you expect to deprecate setRequestedWithHeaderOriginAllowList
at some future point?
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
No
WebView-only feature being deprecated
Is this feature fully tested by web-platform-tests?
No - WebView is not covered by Web Platform Tests.
Flag name
WebViewXRequestedWithHeaderControl
Requires code in //chrome?
False
Tracking bug
Estimated milestones
Roll-out in M111 beta (up to 50%)
Roll-out in M112 stable (up to 1%)
Roll-out to M113 stable (up to 5%)
Further roll-out to be assessed based on developer input and feedback, considering that people might need time to adopt the OT.
While we have announced the change through public developer communications and direct outreach to several partners, receiving mostly positive or neutral feedback, we expect that negative impacts, if any, will be more visible at 1% and 5% of stable traffic. We may want to allow more time to adopt the deprecation trial before continuing to ramp up.
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5160086884843520
Links to previous Intent discussions
Intent to Deprecate: https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs
This intent message was generated by Chrome Platform Status.
Sincerely,
Peter Birk Pakkenberg Software Engineer pb...@chromium.org
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjtyf389m7ywT7042GXBzVCz4z6Pmn9UCNztMA23ewTZqw%40mail.gmail.com.
Peter Birk Pakkenberg
We plan to keep the setRequestedWithHeaderOriginAllowList API for the duration of the XRW origin trial, but have not made any decisions beyond that at this point in either direction.
Peter Birk Pakkenberg
Peter Birk Pakkenberg
Mike Taylor
Apologies Peter, this intent fell off the radar of our tooling.
LGTM1 to proceed with the outlined plan. Thanks for creating a
deprecation trial and blogging about it.
Yoav Weiss
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/63373d78-6db4-e974-2451-24fad35903da%40chromium.org.
Peter Birk Pakkenberg
Chris Harrelson
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuUBd_9qULnJyumjR7ye_DRQcv_oULzPJpx8TQ_aLWOWA%40mail.gmail.com.