Man, that's depressing. It's fairly easy to prevent this particular kind of injection—you just have to add a Content Security Policy to the HTML page. The appropriate value for web pages running from file://, with no expectation of downloading and executing remote JavaScript is: `script-src 'self';`
Really sad to see that Apple is using embedded web views without these sort of basic protections. I bet worse exploits than this are possible, given that they probably expose parts of the ObjectiveC layer through the JavaScriptCore bridge.
Really sad to see that Apple is using embedded web views without these sort of basic protections. I bet worse exploits than this are possible, given that they probably expose parts of the ObjectiveC layer through the JavaScriptCore bridge.