Privacy Browser 3.11 has been released. There are now options to enable the default X-Requested-With header behavior. There is an entire blog post written about the X-Requested-With header, but as a summary Android’s WebView automatically sends the app ID as the value of the X-Requested-With header with each request, which in the case of Privacy Browser is
com.stoutner.privacybrowser.standard. It isn’t currently possible to disable this behavior with Android’s WebView, but it will become possible in the 4.x series with the release of Privacy WebView.
Even though I can’t currently remove the X-Requested-With header, the value can be changed to be something different than the app ID. Privacy Browser changes the value to be null (empty). Normally, that isn’t a problem, but a few web servers get angry if there is a header with a null value. There is a new option in the settings that disables this and reverts to the default behavior of sending
com.stoutner.privacybrowser.standard as the value.
This can also be configured in domain settings. Because headers are only set when a page is initially loaded, any changes to this setting will not take effect for currently loaded pages, including those navigated to through the history, even if the page is refreshed. However, if a change is made in domain settings and then the URL is loaded in a new tab, or in an existing tab that does not already have it loaded, the new X-Requested-With header will be used.
URL modification has been updated to include all the tracking URL queries listed at privacytests.org. There is a blog post that has updated information about each of the queries that is blocked. It should be noted that Facebook recently encrypted their queries into the main URL, so I will likely remove the Facebook entries once I have verified they are no longer found in the wild.
As part of this change, the URL modification controls have been simplified to two options.
There is a new Share Message entry in the options menu. This entry behaves the same as the previous Share URL entry, which has been changed to have a new behavior.
Share Message shares the webpage title and the URL combined into one field. It works well for sharing a website to a messaging app like Element. Share URL splits the webpage title and the URL into two separate fields. The primary field is the URL, and, if it is shared to an app that only receives one field, like Element, only the URL will be displayed. If it is shared to an app that accepts two fields, like an email app, then the website title will populate the subject and the URL will populate the body.
A bug was fixed that could cause the bottom app bar to cover part of the website. Another bug was fixed that caused the most recent tab to be duplicated when the app restarted if the tab had been opened by an intent from another program. The bookmark opened in a background tab snackbar is now displayed on top of the bookmarks drawer.
The kernel version has been added to About > Version. This is useful information because a device’s major kernel version usually doesn’t change even when the version of Android it is running is updated (this is a misguided Google design flaw driven by the inability of closed-source drivers to be easily recompiled for new kernels). The result is that kernel-level bugs can affect some devices and not others even if they are running the same version of Android.
The bookmarks activity now preserves the current folder if the app is restarted. The default proxy custom URL has been updated to be
socks://localhost:9050. Previously it was
http://localhost:8118, which was set as the default because the WebView available on API 19 did not support SOCKS. Seeing as how SOCKS is Orbot’s preferred protocol, and that Privacy Browser’s minimum API is now 23, it makes sense to change the default. Note that the default is set when the app is first installed and is not automatically updated thereafter, so this change will only affect new installations.
The Guide has been updated to make it easy for users to discover that closing that last tab runs Clear and Exit.
The Guide now also makes it clear that cookies are an app-level, instead of a tab-level, setting.
The section on URL modification was updated, as well as a new section that was added explaining the X-Requested-With header.
The Night Theme blue text was updated to be dual toned, similar to the Day Theme blue text. In the Day Theme headers become darker (further away in color from the background). In the Night Theme headers become lighter.
The Night Theme blue button color was also updated to match the main Night Theme violet color.
The size of the app bar icons was standardized at 24dp. Previously, some of them were 26dp and others were 24dp. It made sense to go with 24dp as the majority of icons in Privacy Browser are already that size. This also adds a tiny, little bit of more space for the URL, which might be helpful on particularly small screens.
This release bumps the target API to 32 (Android 12L).
Each release of Privacy Browser updates the blocklists to the latest versions (eventually it will be possible to users to configure and update their own blocklists). Although not directly a part of Privacy Browser’s changelog, this release is the first to include the third revision of UltraPrivacy, which blocks connect.facebook.
The majority of my development time is currently being spent on Privacy Browser PC, but I expect to do a few more releases of Privacy Browser Android during this period. Future releases are likely to select bug fixes and feature requests from those marked as Next Release on Redmine.