Intent to Extend Deprecation Trial: Removal of X-Requested-With in WebView

512 views
Skip to first unread message

Peter Birk Pakkenberg

unread,
Mar 27, 2024, 7:16:45 AMMar 27
to blink-dev, pe...@chromium.org

Hello Blink-dev.


I would like to extend the ‘X-Requested-With in WebView Deprecation’ trial until M138 in line with the premise made below in the Summary below. I am asking for an extension of 12 milestones instead of the customary 6 to avoid undue churn for the almost 100 origins that have signed up for the trial, as we expect that it will take at least another year to address the remaining use cases.


The feature is currently disabled on 5% of stable traffic, and we have developed the Android WebView Media Integrity API as a solution for uses of the header for media content providers. We have also launched an Android API for app developers to enable the header for select origins which has been adopted by almost 10k applications so far. This is an alternative available to Android apps that only display Web content they trust. We are still looking to address further use cases in the anti-abuse and anti-fraud space before we can fully disable the header.



Contact emails

pb...@google.com


Explainer

None


Specification

None


Summary

Removes the default X-Requested-With header from HTTP requests made by WebView.


The X-Requested-With header is set by WebView, with the package name of the embedding apk as the value. This use of the header will be discontinued.


Developers who rely on this header can sign up for a deprecation origin trial [1] to continue to receive the header during the deprecation period.


The deprecation origin trial will be extended until replacement APIs are available to address use cases of the header, as explained in this Android Developer Blog Post [2]


[1]: https://developer.chrome.com/origintrials/#/view_trial/1390486384950640641

[2]: https://android-developers.googleblog.com/2023/02/improving-user-privacy-by-requiring-opt-in-to-send-x-requested-wih-header-from-webview.html



Blink component

Mobile>WebView


Search tags

Headers


TAG review



TAG review status

Not applicable


Chromium Trial Name

WebViewXRequestedWithDeprecation


Link to origin trial feedback summary

https://docs.google.com/document/d/e/2PACX-1vR-ZraJ4sDSGpo2mhye1c2Z1HOl8ZqQ2iDnT2TCQ-Mj1cS1_-2OzN0OeV0Ctayu9Sm6XejgZmwXVDqE/pub



Origin Trial documentation link

https://docs.google.com/document/d/e/2PACX-1vSSTEsHVfTXwOW80Tqy4c5TW6wSnt9b8v7-ZWUF3ZqLDs03EatEuyPCqwaUaa2s0a7mFm3Wh61bgVoz/pub


Risks



Interoperability and Compatibility



Gecko: N/A


WebKit: N/A


Web developers: The X-Requested-With header is widely used for both anti-fraud and application allowlisting use cases, despite its inherent unreliability. These web services are concerned about the removal of the header without replacement technologies to facilitate their current reasons for consuming the header.


Other signals:


WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

This feature removes a header sent by default by WebView. It should have no direct impact on applications using WebViews, but sites loaded in the WebView will no longer receive the X-Requested-With header unless the app explicitly allowlist the site[1] to receive the header or the site participates in the deprecation trial.


[1]: https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)



Debuggability



Is this feature fully tested by web-platform-tests?

No


Flag name on chrome://flags

None


Finch feature name

WebViewXRequestedWithHeaderControl


Non-finch justification

None


Requires code in //chrome?

False


Tracking bug

https://crbug.com/960720


Launch bug

https://launch.corp.google.com/launch/4136516


Estimated milestones

DevTrial on Android

109


Shipping on WebView

114

OriginTrial webView last

138

OriginTrial webView first

110




Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5160086884843520


Links to previous Intent discussions

Intent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/k9HL9muJPxs



This intent message was generated by Chrome Platform Status.


Google Logo
Peter Birk Pakkenberg
Software Engineer
pb...@chromium.org

Daniel Bratell

unread,
Mar 27, 2024, 12:03:23 PMMar 27
to Peter Birk Pakkenberg, blink-dev, pe...@chromium.org

This being beyond the normal scope of an extension will require three LGTMS so here is the first one:

LGTM1

I appreciate that it's not optimal in any way to have something like this running this long, but I sympathize with the end result and understand that App developers can need both longer to develop and especially longer to deploy to all users. That as many as 10k applications have adapted the new API is a good sign too.

If I were going to ask for anything else (which might make it easier for others to approve it), it would be proof that usage is dropping so that we won't have to extend it again.

/Daniel

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjsq%2BesCrmUEmo5%2BzSUMGw81WmbnoFeL85ajGq2xz5PBGw%40mail.gmail.com.

Yoav Weiss (@Shopify)

unread,
Mar 28, 2024, 4:40:09 AMMar 28
to Daniel Bratell, Peter Birk Pakkenberg, blink-dev, pe...@chromium.org
Of the 100+ origins that signed up for the trial, do you know if any made progress towards reducing their dependence on this header? Any that no longer need the trial?

Peter Birk Pakkenberg

unread,
Mar 28, 2024, 7:53:04 AMMar 28
to Yoav Weiss (@Shopify), Daniel Bratell, blink-dev, pe...@chromium.org

Hi Yoav,


A number of large websites are working on adopting the new WebView Media Integrity API as an alternative, however, that said, other websites have expressed hesitancy to move away from using the header, citing the lack of alternative signals that solve their more precise use cases.


Looking at the signed up origins, it appears that the usage of the header is quite unevenly distributed, and we are working directly with the largest users to reduce usage.


Sincerely,
Google Logo
Peter Birk Pakkenberg
Software Engineer
pb...@chromium.org

Yoav Weiss (@Shopify)

unread,
Apr 3, 2024, 6:06:40 AMApr 3
to blink-dev, Peter Pakkenberg, Daniel Bratell, blink-dev, Peter Beverloo, Yoav Weiss
On Thursday, March 28, 2024 at 12:53:04 PM UTC+1 Peter Pakkenberg wrote:

Hi Yoav,


A number of large websites are working on adopting the new WebView Media Integrity API as an alternative


Can you elaborate on the connection between the two? Are there overlapping use cases?
I guess I'm missing context on what information is currently exposed with X-Requested-With..
 

, however, that said, other websites have expressed hesitancy to move away from using the header, citing the lack of alternative signals that solve their more precise use cases.


So in order for those websites to move away from the header's use, we'd need to ship another alternative API? Is this being worked on?
 
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Peter Birk Pakkenberg

unread,
Apr 4, 2024, 9:21:29 AMApr 4
to Yoav Weiss (@Shopify), blink-dev, Daniel Bratell, Peter Beverloo
Hi Yoav,

The X-Requested-With header exposes the app package name of the embedding application on all HTTP requests made from WebView. The header value is not signed, and can be changed either by web content loaded in the WebView, or by the host app, through various well known methods.

Media content providers have been using this information in an effort to help identify abuse and fraud, and the WebView Media Integrity API has been developed to be a more direct fit for these use cases.

We are working with the remaining OT participants to determine what, if any, further solutions are needed for their use cases of the header.

Sincerely,
Google Logo
Peter Birk Pakkenberg
Software Engineer
pb...@chromium.org

Yoav Weiss (@Shopify)

unread,
Apr 4, 2024, 10:24:30 AMApr 4
to Peter Birk Pakkenberg, blink-dev, Daniel Bratell, Peter Beverloo
LGTM2 to continue the Deprecation Trial until M138.

Thanks for pushing this through! It'd be great if by the time this trial expires we'd have a clearer picture of the required replacement mechanisms and some momentum for moving trial participants off to them.

Mike Taylor

unread,
Apr 5, 2024, 2:58:54 PMApr 5
to Yoav Weiss (@Shopify), Peter Birk Pakkenberg, blink-dev, Daniel Bratell, Peter Beverloo

LGTM3

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSJ0S5u80FXvDZtN5Gvi1hAfRk8S%3Dvf7Z2yXO0gDW8FULg%40mail.gmail.com.

Peter Birk Pakkenberg

unread,
Apr 8, 2024, 4:32:28 AMApr 8
to Mike Taylor, Yoav Weiss (@Shopify), blink-dev, Daniel Bratell, Peter Beverloo
Thank you all for the LGTMs

Sincerely,
Google Logo
Peter Birk Pakkenberg
Software Engineer
pb...@chromium.org

Reply all
Reply to author
Forward
0 new messages