Q: What about Web Browser Controls (WebOCs) inside my native code applications?
A: In many cases, WebOCs inside a native application are used to render trusted content delivered from the application itself, or from a server controlled by the application’s vendor. In such cases, and presuming that all content is loaded over HTTPS, the security risk of the use of a WebOC is significantly lower. Rendering untrusted HTML in a WebOC is strongly discouraged, as WebOCs are even less secure than Internet Explorer itself. For compatibility reasons, numerous security features are disabled-by-default in WebOCs, and the WebOC does not run content in any type of process sandbox.
Looking forward, the new Chromium-based
WebView2 control should be preferred over WebOCs for scenarios that require the rendering of HTML content within an application.