Posted by Peter Birk Pakkenberg, Software program Engineer
X-Requested-With (XRW) is a nonstandard header.
When a consumer installs and runs an software that makes use of a WebView to embed internet content material, the WebView will add the X-Requested-With header on each request despatched to servers, with a worth of the appliance APK identify. It’s then left to the receiving internet server to find out if and use this info.
We wish to defend the consumer’s privateness by solely sending this header on requests if the app developer explicitly opts-in to share with providers embedded throughout the WebView. We’re introducing new and purpose-built strategies of consumer attestation that remedy vital security use instances in a privacy-sensitive method.
To let present on-line providers that depend upon this header migrate away from utilizing it, we are going to run a Deprecation Origin Trial, whereas eradicating the header for normal visitors.
Why are we making this transformation?
In early use instances, the X-Requested-With header was used to detect click on fraud from malicious apps. It was additionally used to let a server know it is interacting with AJAX requests and needn’t reply with HTML. The header was shortly adopted by widespread frameworks (jQuery, Dojo, Django) as a protection towards CSRF assaults. Nevertheless, a number of vulnerabilities (akin to browser extensions impersonating web sites) appeared round its use.
Android WebView adopted the X-Requested-Header with the appliance identify as the worth, as a method to enable on-line providers to detect misleading apps that have been utilizing hidden webviews to generate pretend visitors. Whereas this drawback nonetheless exists in the present day, the header as it’s presently applied doesn’t totally remedy the issue, as apps can simply change the worth being despatched on some requests in later Android variations.
The header, as presently applied by default in Android WebView, doesn’t observe the precept of significant consent of all events exchanging the data and the Android Platform Safety Mannequin’s definition of multi-party consent.
APK identify additionally comprises particular details about the context through which the consumer is consuming the online content material, and may leak the id of the app to the web service.
How does this proposal have an effect on the header?
It is vital to notice that the non-WebView use instances won’t change due to this proposal, as shoppers and servers nonetheless can and can set the header in regular JavaScript environments.
Even in the present day, WebView won’t overwrite the header if the header has already been set on an AJAX request by a JavaScript framework.
This removing solely targets the WebView use case, which provides the header to each HTTP request made by the browser (that’s, not the XMLHttpRequest use case).
What’s the affect of eradicating this characteristic?
Immediately content material homeowners could determine to depend on X-Requested-With to attribute visitors and management entry with out using their very own authentication. Different providers use it for reporting of mixture patterns about their consumer base.
All of those use instances can be affected by the removing of the header on requests, and within the majority of instances the place the header isn’t modified by dishonest apps, it supplies helpful info to on-line providers.
Given this, we plan to restrict disruption in the course of the deprecation and transition to purpose-built alternative indicators by providing a Deprecation Origin Trial to keep up the prevailing habits.
We ask for suggestions on present use instances that presently depend on and could also be impacted by these modifications.
Subsequent steps and the way forward for XRW
As we step by step roll out the removing, origins taking part within the trial can be exempted (that’s, WebView will proceed to ship the header to those origins for so long as the trial lasts). The deprecation trial is predicted to stay energetic for no less than a yr to provide companions time to regulate for the change.
Additional, in the course of the deprecation origin trial, we can be creating new privacy-preserving APIs to match the use instances the place the XRW header is getting used in the present day, akin to consumer attestation APIs.
Individually from the deprecation trial, we are going to present an opt-in API for software builders. This API will enable particular person apps to selectively ship the header to chosen origins, which can be utilized to keep up performance of legacy websites that aren’t migrating, and the API will stay after the deprecation trial has completed.
Useful sources
Key areas the place we’re in search of suggestions
- Key use instances for the XRW header in the present day (e.g., cost authentication, account takeover fraud)
- How vital the XRW header is for every of those use instances
- Desired capabilities that any new privacy-preserving alternate options would ideally have