The encoding/decoding routines used by WebKit’s InjectedBundles are based on NSCoding. While we have changed WebKit internals to use NSSecureCoding, there are a number of injected bundles that need to serialize custom classes between the InjectedBundle and the relevant WebKit UIProcess. We need to lock down this communications channel by enforcing NSSecureCoding. This patch creates new SPI to allow the UIProcess to specify classes that it will accept in messages from the WebContet Process (and Injected Bundle). It adds the following property to the WKProcessPoolConfiguration: @property (nonatomic, copy) NSSet<Class> *customClassesForParameterCoder; Clients that wish to serialize custom classes would do something like the following: _WKProcessPoolConfiguration *configuration = [[_WKProcessPoolConfiguration alloc] init]; ... various setup steps ... // An InjectedBundle will be used: [configuration setInjectedBundleURL:[[NSBundle mainBundle].builtInPlugInsURL URLByAppendingPathComponent:@"Example.wkbundle" isDirectory:YES]]; // So specify any custom classes for the use case: [configuration setCustomClassesForParameterCoder:[NSSet setWithObjects:[Example1 class], [Example2 class], [Example3 class], nil]]; If no custom classes are specified, the standard serialization primitives are supported: NSArray, NSData, NSDate, NSDictionary, NSNull, NSNumber, NSSet, NSString, NSTimeZone, NSURL, and NSUUID.