> the web view has control over JavaScript<p>More explanation please. Can the host app inject a script into any page? That seems absurd.<p>> the keyCode attribute of the KeyboardEvent in the JavaScript event handler is provided for backward compatibility<p>Not only that but you can actually read a password input's value directly, no need to wait for keyboard events. This surprised be quite a bit. I had always thought these fields were not readable.