InAppBrowser.com icon indicating copy to clipboard operation
InAppBrowser.com copied to clipboard
verified publisher icon KrauseFx

Injections via WKUserScript:

Open mortargrind opened this issue 3 years ago • 0 comments

As far as I know iOS apps can inject code to be executed via WKUserScript as an alternative to evaluateJavascript and InAppBrowser.com cannot detect that since the injected code might run before the code of the web pag. See example code below:

let configuration = WKWebViewConfiguration()
configuration.allowsInlineMediaPlayback = false
let interceptorScript = WKUserScript(
       source: "window.fetch = () => {console.log(`fetch`)}; window.Promise = () => {console.log(`Promise`)}; window.addEventListener = () => { console.log(`addEventListener`) }",
       injectionTime: .atDocumentStart,
       forMainFrameOnly: false
)

configuration.userContentController.addUserScript(interceptorScript)
let webView = WKWebView(frame: .zero, configuration: configuration)

injectionTime: .atDocumentStart here means that this code will be executed immediately after document element is created but before any other script is executed. This means that app side can override almost any primitive/built-in present in the page and do whatever they want with them (like listening for certain things and transferring information back to the app.).

See: https://developer.apple.com/documentation/webkit/wkuserscript

mortargrind avatar Aug 20 '22 23:08 mortargrind