It might make it much harder to inject stuff, but since the apps control all aspects of the embedded browser and CSPs are enforced by the browser, they could feasibly just disable CSP enforcement and have the embedded browser ignore the CSP.
I don’t think Apple gives access to the CSP or a choice in obeying it. I’ve been working with WKWebView recently and don’t remember running across it.
Now you could go really far to get around it. Request resources yourself and hand them to WKWebView directly so no CSP is served but that’s not going to be easy. You’d have to scan for any other resources that might get loaded, pull those, inject them correctly, etc.
I'm not remotely an iOS dev, but the workaround you present seems reasonable to me?
Just make your own http(s) requests, fetch the page contents, ignore header CSP, strip CSP in the HTML and send the string to the web view thing. A cursory glance at the documentation seems to show that the web view thing allows for rendering HTML strings. Not sure if that also loads external resources in the HTML supplied, but if so it would be relatively minimal work.
(Companies have spent much more dev effort to get similar tracking capabilities. E.g. WeChat on Android implements an entirely custom rendering engine from scratch rather than use any system web view component.)
