Cookie handling is all possible to control as well. Access to the following methods, as described in this blog, is also controlled via the same process.
(void)setCookie:(NSHTTPCookie *)cookie completionHandler:(nullable void (^)(void))completionHandler;
The WebKit blog article gives several use cases, and Apple also provided some guidance in a WWDC 2020 video (watch here), where they explicitly said that using AppBoundDomains is a best practice.
Veracode has kept up by being able to scan instances of WKWebView in an application’s code and ensure that a proper AppBoundDomain entry has been tied to that in the application bundle. If not, we’ll alert our customers to that effect, and in those cases usually, a quick fix is all that’s necessary, as Apple made this easy to integrate into the application.
Most of these efforts have been made to ensure that built-in privacy protections became the norm on iOS. In the older UIWebView, private data can and has been taken, and this protection is a means to prevent that. For Desktop Safari users, you might notice that recent versions of OS X will now prevent some website trackers from tracking your browsing history, and other data. We live in a connected world, busily browsing the internet, but without the right protections the services provided tend to take the same attitude towards you, and that certainly includes your data.
To learn more about iOS security, visit our knowledge base.