23

I'm trying to make my WebView headers look like the user is just using the regular browser and not using a WebView. From what I can gather the headers are identical apart that the WebView also sends an X-Requested-With header containing the apps package name. Is there any way of preventing this?

KingFu
  • 1,358
  • 5
  • 22
  • 42
  • 1
    +1 usually x-requested-with is used to detect ajax request, kind of hoses things when android sends the header on _every_ request, ajax or not. – virtualeyes Aug 03 '13 at 13:23
  • 1
    This sounds a lot like http://stackoverflow.com/questions/7610790/add-custom-headers-to-webview-resource-requests-android – jlindenbaum Mar 25 '15 at 16:52
  • @KingFu - Were you able to discard X-Request-With header completely ? Cause all answers are mostly around how to Modify or Edit the header instead of how to deleting or disabling it. – Manisha Feb 08 '17 at 23:16

1 Answers1

7

You can do it for Android API > 11

public class AndroidMobileAppSampleActivity extends Activity {
Map<String, String> extraHeaders = new HashMap<String, String>();
@Override
public void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.main);
    WebView mainWebView = (WebView) findViewById(R.id.mainWebView);
    // must define X-Requested-With, if header missing, then webview will
    //add your package name
    extraHeaders.put("X-Requested-With", "your presentation");
    WebSettings webSettings = mainWebView.getSettings();
    webSettings.setJavaScriptEnabled(true);
    mainWebView.setWebViewClient(new MyCustomWebViewClient());
    mainWebView.setScrollBarStyle(View.SCROLLBARS_INSIDE_OVERLAY);
    mainWebView.loadUrl("http://www.somesite.com", extraHeaders);
}

private class MyCustomWebViewClient extends WebViewClient {
    @Override
    public WebResourceResponse shouldInterceptRequest(WebView view,
         String url) {
        // TODO Here you must overwrite request  using your 
        // HttpClient Request
        // and pass it to new WebResourceResponse
        return new  WebResourceResponse(response.ContentType, response.ContentEncoding, responseStream);
    }
    @Override
    public boolean shouldOverrideUrlLoading(WebView view, String url) {
        // Apply again your heades here 
        view.loadUrl(url, extraHeaders);
        return true;
    }
}
}
anopid
  • 139
  • 1
  • 5
  • 5
    This means we can only modify value of "X-Requested-With" header. Is there way we can completely delete or discard it ? – Manisha Feb 10 '17 at 01:41
  • 5
    This only modify the value in this url's request, all js and image requests started from the response html still have whatever the original value is in X-Requested-With – yorkw May 30 '18 at 10:12
  • But this doesn't work for `POST` requests, right? – casolorz Mar 01 '21 at 15:02
  • @casolorz This does not work for `POST` requests. Currently it is impossible to solve this problem. [Google has made it so, for more information read this article.](https://social.msdn.microsoft.com/Forums/en-US/2b58565b-c084-47c4-b2d7-6beb93d8d99b/how-to-add-custom-http-headers-in-webview-all-requests-css-js?forum=xamarinforms) – AlanSTACK Sep 12 '22 at 00:05
  • 1
    This `x-requested-with` header should really be removed by Google or allow apps to remove it. I think ad companies could start using it as part of their fingerprinting of users. Also not being able to intercept the POST method really limits what the intercept can do. – casolorz Sep 13 '22 at 01:14