|
|
|
|
|
|
by robterrell
4525 days ago
|
|
|
The JS-Cocoa bridge isn't young at all, it's the same bridge that has been on Mac OS X for years. And it's opt-in -- on the native side you have to specify which classes can be bridged and what methods can be called. It's not the case that any bridged webview exposes all of Cocoa for your JS injection pleasure. You could write an app that specifically exposed some dangerous API, but you'd know you had done so. |
|
|
Few people write insecure code on purpose. Of course the same is true of Safari or networking/parsing code. I still maintain certificate pinning is the answer here, to try and defend as much as possible against MITM in the first place.