requestedWithHeaderOriginAllowList property

Set<String>? requestedWithHeaderOriginAllowList

Set an allow-list of origins to receive the X-Requested-With HTTP header from the WebView owning the passed InAppWebViewSettings.

Historically, this header was sent on all requests from WebView, containing the app package name of the embedding app. Depending on the version of installed WebView, this may no longer be the case, as the header was deprecated in late 2022, and its use discontinued.

Apps can use this method to restore the legacy behavior for servers that still rely on the deprecated header, but it should not be used to identify the webview to first-party servers under the control of the app developer.

The format of the strings in the allow-list follows the origin rules of PlatformInAppWebViewController.addWebMessageListener.

NOTE for Android native WebView: available on Android only if WebViewFeature.REQUESTED_WITH_HEADER_ALLOW_LIST feature is supported.

Officially Supported Platforms/Implementations:

• Android native WebView (Official API - WebSettingsCompat.setRequestedWithHeaderOriginAllowList)

Implementation

Set<String>? requestedWithHeaderOriginAllowList;