Feature #37
open
- Description updated (diff)
- Description updated (diff)
- Status changed from New to In Progress
- Subject changed from Customize X-Requested-With Header to Customize `X-Requested-With` Header
- Priority changed from 2 to 3.x
- Parent task set to #86
This cannot be fully fixed until Privacy WebView replaces Android's WebView.
- Priority changed from 3.x to 4.x
- Parent task deleted (
#86)
Soren Stoutner wrote:
Beginning with commit https://git.stoutner.com/?p=PrivacyBrowser.git;a=commitdiff;h=87cd85777034a3b7627b68b3d60004fb20198727 Privacy Browser will send a null value for `X-Requested-With` on initial web requests. This will be included in Privacy Browser 1.9.
https://www.stoutner.com/the-x-requested-with-header/
Using a null value is probably not the best approach. Keys without values are considered malformed headers by some web servers leading to HTTP 400 errors.
My suggestion is to disable the header override until X-Requested-With can be completely removed (or make it optional, like lightning does). Currently the privacy benefits are near zero as the header override only applies to initial requests initiated via bookmarks or manually typed URLs (WebView 76.0.3809.89). Pages opened via link receive the complete header (like requests for resources as mentioned above).
Can you provide an example of a webserver that has difficulty with a null header value? In all my testing, I have not seen one.
Regardless, I would consider that to be a bug in the webserver that should be fixed there. I am not inclined to change Privacy Browser's current behavior to accommodate it.
... and https://www.voebb.de/ sends "400 Bad Request". There seem to be more webservers in the wild than last year refusing to handle an empty x-requested-with
- Subject changed from Customize `X-Requested-With` Header to Competely remove the X-Requested-With header
- Status changed from In Progress to New
Both of those websites do appear to be blocking Privacy Browser because they don't like the X-Requested-With header. However, as I said earlier, I would consider this a bug with the website and not with Privacy Browser.
Apparently Lighttpd recently decided to block access to browsers sending empty headers. Either this change or something else they did affected Safari on iOS as well.
It looks like they are going to revert the decision, which is good. Blocking empty headers provides no security or other benefit to a web server.
https://github.com/opnsense/core/issues/4917
Lighttpd has fixed the issue, so it is no longer a problem for websites they are hosting. However, I have received a report of other websites that have issues. Even though I still consider this a bug in the website itself, I think I am going to create a setting where users can revert the X-Requested-With behavior if desired.
https://redmine.stoutner.com/issues/819
Also available in: Atom
PDF