Hello, everyone,
maybe my question is a bit strange, but I was wondering why it is not allowed to inject javascript code from the browser into the main world.
Let me explain.
In the API ‘RenderFrameHostImpl::ExecuteJavaScript’, via ‘CanExecuteJavaScript’ it is explicitly required that the page is internal, whereas in ‘ExecuteJavaScriptInIsolatedWorld’ it is not permissible to use world 0.
At first I thought of a security constraint, which I cannot understand, since it is in any case permissible from an isolated world to modify the dom and insert a tag script generated from a data url, which then runs in the general context of the page.
can you help me understand why such a limitation was inserted?
thanks a lot!