> > https://labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascript > > interface-remote-code-execution/ > > > > > I don't know enough about the reasons for the different bridges to > > > know whether this is a good idea or not. > > > > > > > This is why we can't have nice things! > > > > Ouch... that's a good reason to disable that bridge completely for APIs < 17; > never > mind whether noFrak is enabled or not. If it's likely that > addJavascriptInterface > has other holes like this, then we should talk about removing it entirely. >
Seems harsh to disable that bridge completely: "The following JavaScript, *if injected into a WebView*" This is nothing new, third party <script> tags or content are always a security concern. Making a "safer" bridge the default seems best, it still does mean the bridge is free from third -party injection attacks.
