Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebView: X-Requested-With sends the app package name to the host #1659

Open
6 tasks done
choppeh opened this issue Jan 22, 2025 · 3 comments
Open
6 tasks done

WebView: X-Requested-With sends the app package name to the host #1659

choppeh opened this issue Jan 22, 2025 · 3 comments
Labels
Bug Something isn't working

Comments

@choppeh
Copy link

choppeh commented Jan 22, 2025

Steps to reproduce

  • Add a proxy to your Android device;
  • Open the web view and see the headers

Expected behavior

Remove the X-Requested-With

Actual behavior

X-Requested-With is configured

Crash logs

No response

Mihon version

0.17.1

Android version

Android 13

Device

POCO F3

Other details

The web view sends the ID of the embedded browser, which is different from a request from a regular browser.

Acknowledgements

  • I have searched the existing issues and this is a new ticket, NOT a duplicate or related to another open or closed issue.
  • I have written a short but informative title.
  • I have gone through the FAQ and troubleshooting guide.
  • I have updated the app to version 0.17.1.
  • I have updated all installed extensions.
  • I will fill out all of the requested information in this form.
@choppeh choppeh added the Bug Something isn't working label Jan 22, 2025
@choppeh choppeh changed the title v WebView: X-Requested-With sends the app package name to the host Jan 22, 2025
@choppeh
Copy link
Author

choppeh commented Jan 24, 2025
edited
Loading

This solution works: https://stackoverflow.com/questions/17832313/android-disable-x-requested-with-header-in-webview/29395509#29395509

But it doesnt remove the X-Requested-With

override fun shouldInterceptRequest(
    view: WebView?,
    request: WebResourceRequest?
): WebResourceResponse? {
    return request?.let {
         try {
            // Needs to check the X-Request-With content  to avoid wrong overwriting
            val connection = URL(it.url.toString()).openConnection() as HttpURLConnection
            connection.setRequestProperty("X-Requested-With", "")
            WebResourceResponse(connection.contentType, connection.contentEncoding, connection.inputStream)
        } catch (_: Exception) {
             super.shouldInterceptRequest(view, request)
        }
    }
}

requestProperty(or requestHeaders) is a hashtable (map), but it's private and belongs to the HttpURLConnection implementation. I tried to use reflaction to call the remove method, but I couldn't implemente with reflaction

This implemention is used: https://android.googlesource.com/platform/external/okhttp/+/bad0a11146d43955d3f3b949aa277f0dd7cc3abb/okhttp-urlconnection/src/main/java/com/squareup/okhttp/internal/huc/HttpURLConnectionImpl.java#83

I tried to replace the App::getPackageName, but it throws some crashs

I didnt try write a new request

@MajorTanya
Copy link
Contributor

What's the reason you want it removed?

@AwkwardPeak7
Copy link
Contributor

What's the reason you want it removed?

Websites fingerprint and block the apps request based on that header

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MajorTanya @AwkwardPeak7 @choppeh