Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?

bliako's scratchpad

by bliako (Monsignor)
on Jun 11, 2016 at 14:36 UTC ( [id://1165398]=scratchpad: print w/replies, xml ) Need Help??

=head1 SECURITY WARNING L<WWW::Mechanize::Chrome> invokes an instance of C<google-chrome> on behalf of the current user. Headless or not, C<google-chrome> is invoked. And it carries along all its current history, cookie jar, passwords stored, configuration settings, etc. I will repeat this: L<WWW::Mechanize::Chrome> invokes C<google-chrome> which may remember history, passwords, cookies that the current user has accumulated when using C<google-chrome> for their private surfing earlier. Additionally, L<WWW::Mechanize::Chrome::DOMops> executes javascript code on that C<google-chrome> instance. I mean internally with javascript code hardcoded into the module's packages. On top of that L<WWW::Mechanize::Chrome::DOMops> allows for B<user-specified javascript code> to be executed on that C<google-chrome> instance. For example the callbacks on each element found, etc. This is an example of what can go wrong: You have just used C<google-chrome> to access your yahoo webmail and you did not logout. So, there will be an access cookie in the C<google-chrome> when you later invoke it via L<WWW::Mechanize::Chrome>. If you allow unchecked user-specified (or copy-pasted from ChatGPT) javascript code in L<WWW::Mechanize::Chrome::DOMops>'s C<find()>, C<zap()>, etc. then it is, theoretically, possible that this javascript code initiates an XHR to yahoo and fetch your emails and pass them on to your perl code. Another issue is with the saved passwords and the browser's auto-fill when landing on a login form. It is advised not to invoke (via L<WWW::Mechanize::Chrome>) C<google-chrome> with your current/usual/everyday/email-access/bank-access identity so that it does not have access to your cookies, passwords, history etc. So, it is better to create a harmless C<google-chrome> identity/profile and use that for your C<WWW::Mechanize::Chrome::DOMops> needs. No matter what identity you use, you may want to erase the cookies and history of C<google-chrome> upon its exit. That's a good practice. It is also advised to review javascript code you provide as L<WWW::Mechanize::Chrome::DOMops> callbacks if it is taken from 3rd-party, human or not, e.g. ChatGPT. Additionally, make sure that the current installation of L<WWW::Mechanize::Chrome::DOMops> in your system is not compromised with malicious javascript code injected into it.
Log In?

What's my password?
Create A New User
Domain Nodelet?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others musing on the Monastery: (3)
As of 2024-04-22 18:35 GMT
Find Nodes?
    Voting Booth?

    No recent polls found