WebProcessProxy::shouldAllowNonValidInjectedCode checks whether the injected bundle is in /System, because everything coming from there shouldn’t commingle with non-valid code. But platforms apps may use injected bundles from outside /System (for example, Safari uses a bundle embedded in its app bundle for its website icon and snapshot fetching), and those should still not allow non-valid code. Patch forthcoming.
*** This bug has been marked as a duplicate of bug 183275 ***
Reopening to attach new patch.
Created attachment 334880 [details] Never allow non-valid injected code into a Web Content process serving a platform binary
Oops. *** This bug has been marked as a duplicate of bug 183275 ***