ferrum icon indicating copy to clipboard operation
ferrum copied to clipboard
verified publisher icon rubycdp

Unsafe default Chrome launch arguments

Open francisbeaudoin opened this issue 1 year ago • 3 comments

Context Is there any specific reasons behind launching the Chrome process with disable-web-security?https://github.com/rubycdp/ferrum/blob/19767d0885afbebc95574eda685e04dc9da2b47d/lib/ferrum/browser/options/chrome.rb#L12

This flag is at least disabling the same-origin policy hence having security implications if the browser is navigating to arbitrary websites.

Suggestion Do not use the disable-web-security flag by default

francisbeaudoin avatar Jul 04 '24 16:07 francisbeaudoin

Hey @route 👋 I'm wondering if we could get this changed in the defaults?

francisbeaudoin avatar Mar 10 '25 18:03 francisbeaudoin

I think it's useful for Cuprite and tests, so we could move it there and remove from Ferrum

route avatar Mar 11 '25 05:03 route

Hi, +1 for this request. When ferrum is used to interact with untrusted user input (ie screenshot a website), --disable-web-security can lead to terrible side effects, like reading local files on the server.

ie, ferrum was tasked with taking a screenshot of https://site/page.html with the following contents:

<iframe src="file:///etc/passwd"></iframe>, then the contents of the file will be shown in the screenshot.

This should not be made possible for obvious reasons.

ldionmarcil avatar Apr 16 '25 14:04 ldionmarcil