I've read (Running headless Chrome / Puppeteer with --no-sandbox) that --no-sandbox has security risks, but why? I am on Ubuntu 16.04 and node.js. I don't know what the setting does, so can someone explain.
I've read the short snippet from here: https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md, but I still don't know what this sandbox is for. A page on the headless browser can't have security problems unless it finds a loophole and downloads files right?
Related
We're having some issues running our Electron-based app on Debian 10 as it uses Chrome runtime, Chrome requires its sandbox to run and, on defaults, Chrome sandbox won't run on Debian.
Surely, basic solution would be to run without sandbox on Debian, but that option has massive security risks that I'm not comfortable with.
There are other options. The one described in Electron docs and oh so many tutorials is enabling kernel.unprivileged_userns_clone flag:
echo kernel.unprivileged_userns_clone = 1 | sudo tee /etc/sysctl.d/00-local-userns.conf
Supposedly that how it works on other desktop distributions, like Ubuntu. Yet there still are security risks that I just don't fully understand. So far I've found several relevant discussions:
https://lwn.net/Articles/673597/
https://forum.mxlinux.org/viewtopic.php?t=54591
But I'm failing to grasp what exactly is the tradeoff here. How does enabling unprivileged_userns_clone affect security? What are these risks exactly? Are there better options to run Chrome sandbox on Debian securely (as we are stuck with it)?
How does Puppeteer handle PWA installation? Can I just assume that no installation will take place?
I searched for "puppeteer pwa" but could not find any info.
Puppeteer is really a tool for testing an application. It is a headless browser and therefor would not offer any real way to test or simulate the installation flow.
The service worker should register and the initial life cycle should trigger. However it is headless, which means state is not preserved. So you are more or less doing an InCognito session each test run.
I'm trying to run headless e2e tests with chrome and selenium. But having issues getting chrome to adhere to a proxy server. When just trying to get chrome to use a proxy server as per the documentation, it gets completely ignored.
Is there anything obviously wrong with these configurations?
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --proxy-server='p-uk1.biscience.com:80'
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --proxy-server='http=p-uk1.biscience.com:80;https=p-uk1.biscience.com:80'
In each instance, by either checking a 'what is my ip' style website I get my usual IP. And when checking chrome://net-internals/#proxy the connection continues to show a DIRECT configuration.
Using a mac, but exact same issue when trying same configuration on my 14.04 ubuntu box :(
I am developing a webpage that uses camera. When I test in Chrome in my local network, camera doesn't work and I get warning in the console:
getUserMedia() no longer works on insecure origins. To use this feature, you should consider switching your application to a secure origin, such as HTTPS. See link for more details.
In the link provided there is an instruction to set some flags in Chrome. So I tried. My command looks like this:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --unsafely-treat-insecure-origin-as-secure="192.168.0.15" --user-data-dir=c:\chrome-dev-profile
But when I run Chrome I get this message:
You are using an unsupported command-line flag: --unsafely-treat-insecure-origin-as-secure. Stability and security will suffer.
What am I doing wrong?
Is there another way I can test in local network without setting up https server? I need this just for development.
Luka,
I've run into this bug just yesterday. I have not found out how to get Chrome to honor that flag on the command line yet. But I did find a workaround that works for my case.
I'm running my web services on a Linux machine that is running an ssh server. I'm testing on windows with chrome, and used putty to connect to the linux box from windows and then created a "local port forward" to make my remote linux box's ipaddress:port appear on localhost:port on windows. Depending on your platform this workaround may work for you. This approach isn't too cumbersome if you only have a few ports to forward.
In my particular case my setting for putty looked like
L8080 localhost:8080
To see more about port forwarding and ssh see: https://help.ubuntu.com/community/SSH/OpenSSH/PortForwarding
I've written a Chrome extension and companion native messaging host. I don't have any issues with it failing to start or crashing, but I would like to be able to restart it for updates of the extension. I can't find anything in the documentation or elsewhere regarding this. Is it even possible, or does the browser need to be restarted? Due to the nature of the extension, I'd like to avoid restarting the browser if possible.
Documentation can be found here, but it's not exactly robust.
https://developer.chrome.com/extensions/nativeMessaging
Upon further investigation I have found that restarting the native host application manually is not required. Chrome does this itself on update of the extension. However, that breaks the ability to send messages to the native host application from content scripts that have already been loaded, which was causing the issue I was seeing. Pages can be reloaded to fix messaging.