
In-App Browsers Considered Harmful - xngzng
http://furbo.org/2014/09/24/in-app-browsers-considered-harmful/
======
tantalor
> the web view has control over JavaScript

More explanation please. Can the host app inject a script into any page? That
seems absurd.

> the keyCode attribute of the KeyboardEvent in the JavaScript event handler
> is provided for backward compatibility

Not only that but you can actually read a password input's value directly, no
need to wait for keyboard events. This surprised be quite a bit. I had always
thought these fields were not readable.

