Intent to Deprecate: X-Requested-With in WebView

[Peter Birk Pakkenberg]

Contact emails

pb...@google.com

Explainer

None

Specification

Summary

Removes the default X-Requested-With header from HTTP requests made by WebView.

The X-Requested-With header is set by WebView, with the package name of the embedding apk as the value.

This use of the header will be discontinued.

Blink component

Mobile>WebView

Motivation

The header as implemented in WebView does not follow the principle of meaningful consent of all parties exchanging the information[1]. Developer can utilize unreliable and undocumented methods to opt-out. 

Users are not provided with an opt-out option. The content owner is the only party with full control over the information provided in the header.

APK name is also an abundant source of passive fingerprinting information about the users. It contains specific information about the browsing context. When the application is not omnipresent (i.e. has a relatively small user base), together with other information (e.g. approx. geolocation based on an IP address), it can provide a fairly unique identifier of a user.

On top of those privacy issues, the header is undocumented, used in non-WebView context for a completely different purpose, notoriously misunderstood, and causing security issues since its introduction.

[1]: https://w3ctag.github.io/design-principles/#consent

Initial public proposal

Search tags

Headers

TAG review

TAG review status

Not applicable

Risks

Interoperability and Compatibility

Gecko: N/A

WebKit: N/A

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

This feature removes a header sent by default by WebView. It should have no direct impact on applications using WebViews, but sites loaded in the WebView will no longer receive the X-Requested-With header unless the app explicitly allowlist the site[1] to receive the header or the site participates in the deprecation trial.

[1]: https://developer.android.com/reference/androidx/webkit/WebSettingsCompat#setRequestedWithHeaderOriginAllowList(android.webkit.WebSettings,java.util.Set%3Cjava.lang.String%3E)

Debuggability

Is this feature fully tested by web-platform-tests?

No

Flag name

WebViewXRequestedWithHeaderControl

Requires code in //chrome?

False

Tracking bug

https://crbug.com/960720

Launch bug

https://launch.corp.google.com/launch/4136516

Estimated milestones

DevTrial on Android

109

OriginTrial webView first

110

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5160086884843520

This intent message was generated by Chrome Platform Status.

Sincerely,

Peter Birk Pakkenberg Software Engineer pb...@google.com +447469379358

[Rick Byers]

Thanks for working to remove this non-standard WebView-only behavior, I agree it's a privacy issue. I assume this is an "Intent to Deprecate and Remove" looking for permission to remove this behavior (not just mark it 'deprecated'), is that right?

If so, LGTM1.

There may still be some compat and developer messaging risks, but the WebView team (of which Peter is a member) are the right experts to navigate those.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjv0PC76S%3DZkg66V_KCPfrb3tAnryWGnA6TfQz-ay2yXKA%40mail.gmail.com.

[Peter Birk Pakkenberg]

Hi Rick,

Yes - removal is part of the goal here.

Sincerely,

Peter Birk Pakkenberg Software Engineer pb...@google.com +447469379358

[Mike Taylor]

I'm a big fan of removing passive fingerprinting signals, so thanks for driving this work. Just a few questions:

https://bugs.chromium.org/p/chromium/issues/detail?id=960720#c2 stated that "changing the default behaviour would be a significant compatibility risk" - I assume your team is going to publish some migration guidance for developers to reduce the risk. Can you confirm?

Also, this intent mentions a deprecation trial - does that already exist? Could you give more details on the plans there? (I don't recall seeing a "Request for Deprecation Trial" for that, but I'm bad at email...)

Can you also clarify your proposed timelines (for the deprecation trial, and removal)?

thanks,
Mike

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACvTYjuZy4SeHwVCJ%2BGvawdGrAR6myzAJEwZEX6Jmymii6wxDg%40mail.gmail.com.

[Peter Birk Pakkenberg]

Hi Rick, Mike, and blink-dev@

To clarify my last statement, here is our proposed plan:

We intend to start a deprecation trial, which will retain the current behaviour of sending the X-Requested-With header from WebView clients, however, as an opt-in rather than default behaviour. This trial is planned to run for at least one year, but we’d only like it to end once we have a replacement solution.
Simultaneously, we’re working on gathering requirements and designing replacement APIs for the key use cases, in a secure and privacy-conscious manner.

Right now we are looking for approval to start the deprecation trial and change the header to become opt-in for non-trial-participants, with the understanding that this will be an ongoing trial with no set end-date.

We will also publish a blog post in January to further lay out the reasons behind this change, and the timeline for the deprecation.

Sincerely,

Peter Birk Pakkenberg Software Engineer pb...@google.com +447469379358

[Rick Byers]

Hi Peter,

Thanks for the extra details, that makes sense to me and is roughly what I was assuming would be happening. So still LGTM1

Rick

[Mike Taylor]

Thanks Peter!

Can you say more about timelines? For example, which milestone you would launch the deprecation trial, and how long will sites have to enroll before the behavior changes (i.e., what's the milestone for turning XRW off)?

A blog post in January sounds great - are there any other useful outreach tools that are useful to the WebView ecosystem? (I have no idea if Deprecation Reports for a few milestones would be useful...).

[Peter Birk Pakkenberg]

Hi Mike,

We plan to open the deprecation trial for sign-up in January. 

We’re planning to roll out the change in behaviour in M110 Canary/Dev/Beta, and hopefully a small percentage of Stable in M111. The exact ramp-up schedule after that will depend on feedback, and is something we’re still figuring out together with other stakeholders, but we plan to take a careful approach.

Deprecation Reports is a great idea. I am not sure if these are supported by WebView, but I will look into that next year.

Sincerely,

Peter Birk Pakkenberg Software Engineer pb...@google.com +447469379358

[Mike Taylor]

On 12/21/22 12:27 PM, Peter Birk Pakkenberg wrote:

Hi Mike,

We plan to open the deprecation trial for sign-up in January.

We’re planning to roll out the change in behaviour in M110 Canary/Dev/Beta, and hopefully a small percentage of Stable in M111. The exact ramp-up schedule after that will depend on feedback, and is something we’re still figuring out together with other stakeholders, but we plan to take a careful approach.

Assuming the blog post goes out soon, that gives ~2 months for developers to notice and implement any necessary changes. It feels a little bit on the short side. But I'm glad to hear you're working out the ramp-up details with caution in mind.

If the Deprecation Trial is valid beginning with M110, when does it end? I don't know that we've shipped "never expires" origin trials before (to my knowledge they require an expiration date encoded in the token?).

[Peter Birk Pakkenberg]

Hi Mike,

Initially, the trial will end with M125, but we are likely to extend the trial once we get there. By then, we should have a better understanding of the timeline for ending the trial period.

Sincerely,

Peter Birk Pakkenberg Software Engineer pb...@google.com +447469379358

[Peter Birk Pakkenberg]

Hi blink-dev@

I wanted to update you on the deprecation trial for the X-Requested-With header deprecation, as we are planning to change the trial to allow third-party enablement.

We have received developer feedback that it should be possible to be able to re-enable the X-Requested-With header on cross-origin requests, where a service that relies on the header is being called without the option to respond with an Origin-Trial HTTP header on a navigation request, or by running a script of its own. An example of this is a web service which simply provides an JSON endpoint.

Because the trial changes request header behaviour, we think that this feature request is reasonable. We want to provide a solution where the deprecation of the header can still be impactful, while services that rely on it can retain it during the deprecation period.

To solve this use case, we propose that the trial can be enabled on behalf of the service, by letting the calling script provide a third-party origin trial token on behalf of the service it wishes to call.

Third-party origin trial tokens is an existing mechanism for trial enablement. By supplying a token for the target origin, a script can signal that it wishes to enable a trial for a particular service, without re-enabling the X-Requested-With header for the whole frame.

Aside from these changes, the plan or purpose for the trial has not changed.

Sincerely,

Peter Birk Pakkenberg Software Engineer pb...@google.com +447469379358

[Peter Birk Pakkenberg]

Hi Robb,

I posted the Intent to Ship here: https://groups.google.com/a/chromium.org/g/blink-dev/c/Z70s8CQ8PbU

It contains more information about the rollout schedule.

Sincerely,

Peter Birk Pakkenberg Software Engineer pb...@google.com +447469379358

On Tue, 14 Mar 2023 at 16:58, Robb Watershed <zeugma...@hotmail.com> wrote:

Hey there,

I understand the conversation is focusing on the trial, but I'm still very confused about the removal of X-Requested-With header itself.

That header is still sent even on the current bleeding-edge webview (v113.0.5637).

When can we expect to see it disappear for certain ?

Thanks in advance for your reply,

Best regards,

-Robb

[Robb Watershed]

Hey there,

I understand the conversation is focusing on the trial, but I'm still very confused about the removal of X-Requested-With header itself.

That header is still sent even on the current bleeding-edge webview (v113.0.5637).

When can we expect to see it disappear for certain ?

Thanks in advance for your reply,

Best regards,

-Robb

[Some Developer]

Hello,

Do you realize that the removal of X-Requested-With header from WebView requests (without any opt-ins) is hurting website owners, since it deprives them of filtering out the traffic originating from unauthorized apps (or apps in general)? Combined with the built-in ability to tamper User-Agent, that... umm, ecosystem improvement helps dishonest app developers to make use of any web content they had no right to use.
I'm aware that the value of X-Requested-With can be tampered as well in some cases, but the total absence of the header seems to make the traffic validation impossible.

Regards,
P

[Aman Bansal]

That header is still sent even after i updated everything to the latest version.

Android System Webview: 122.0.6181.0
Chrome: 122.0.6181.0

I am totally confused why is it still sending the `X-Request-With` if it is already depreciated ?

[utor]

This effectively allowing all the malicious app devs to steal content from other website, I fail to understand why people want this to be removed unless they are planning to steal content from websites, if they are not planning to do anything to hurt the website owners there is no fear of exposing this header at all.

For APK on google playstore we can report the offending app, but what about third-party APKs?

It is a very bad decision to remove this header for WebView.

Still, thank you for making way for the thiefs.

[David St. Pierre]

Late to the discussion, but completely agree.  Features like this keep appearing in the name of privacy, but in reality have very little to do with privacy, and in effect make it easier and easier to commit fraud.

[Jeeva Kumar]

Any one can fake the X-Requested-With header by doing the following, I could emulate a different app package name, so what's the point of this?

```kotlin

@HiltAndroidApp
class BrowserApp: Application() {
override fun getPackageName(): String {
try {
val stackTrace = Thread.currentThread().stackTrace
for (element in stackTrace) {
if ("org.chromium.base.BuildInfo".equals(element.className, ignoreCase = true)) {
Log.d("hello", "I am here... ${element.className} - ${element.methodName}")
if ("getPackageName".equals(element.methodName, ignoreCase = true)) {
val customPackageName = "com.tencent.qq"
return customPackageName
}
break
}
}
} catch (_: Exception) { }

return super.getPackageName()
}
}

```

[Peter Beverloo]

To be clear, this thread is about deprecating the header, not about adding the header or changing its behaviour.

Thanks,

Peter

--

You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1457019e-f64d-431c-b0c4-545b1556236en%40chromium.org.