add a comment explaining the security measure

Author: jinliu9508

OneSignalSDK/onesignal/in-app-messages/src/main/java/com/onesignal/inAppMessages/internal/display/impl/WebViewManager.kt

@@ -329,6 +329,23 @@ internal class WebViewManager(
         webView!!.loadData(base64Message, "text/html; charset=utf-8", "base64")
     }
 
+    /**
+     * Applies security hardening to the WebView to prevent common vulnerabilities.
+     *
+     * Security measures:
+     * - JavaScript is enabled for IAM functionality but file access is completely blocked
+     * - Prevents file:// URL access to mitigate local file inclusion attacks
+     * - Blocks cross-origin access from file URLs to prevent data exfiltration
+     * - Disables mixed content (HTTP resources on HTTPS pages) to prevent MITM attacks
+     *
+     * This configuration protects against:
+     * 1. Malicious JavaScript accessing local device files
+     * 2. Cross-site scripting (XSS) attacks via file:// protocol
+     * 3. Man-in-the-middle attacks via downgraded HTTP content
+     *
+     * @SuppressLint is used because JavaScript is required for IAM functionality,
+     * but we mitigate the risk through strict file access controls.
+     */
     @SuppressLint("SetJavaScriptEnabled")
     fun secureSetup(webView: WebView) =
         with(webView.settings) {