=head1 SECURITY WARNING
L<WWW::Mechanize::Chrome> invokes an instance of C<google-chrome>
on behalf of the current user. Headless or not, C<google-chrome>
is invoked. And it carries along all its current history, cookie jar,
passwords stored, configuration settings, etc.
I will repeat this: L<WWW::Mechanize::Chrome> invokes
C<google-chrome> which may remember history, passwords, cookies
that the current user has accumulated when using
C<google-chrome> for their private surfing earlier.
Additionally, L<WWW::Mechanize::Chrome::DOMops> executes
into the module's packages.
On top of that L<WWW::Mechanize::Chrome::DOMops> allows
that C<google-chrome> instance. For example the callbacks
on each element found, etc.
This is an example of what can go wrong:
You have just used C<google-chrome> to access your
yahoo webmail and you did not logout.
So, there will be an
access cookie in the C<google-chrome> when you later
invoke it via L<WWW::Mechanize::Chrome>.
If you allow
unchecked user-specified (or copy-pasted from ChatGPT)
C<find()>, C<zap()>, etc. then it is, theoretically,
initiates an XHR to yahoo and fetch your emails and
pass them on to your perl code.
Another issue is with the saved passwords and
the browser's auto-fill when landing on a login form.
It is advised not to invoke (via L<WWW::Mechanize::Chrome>)
C<google-chrome> with your
identity so that it does not have access to
your cookies, passwords, history etc. So,
it is better to create a harmless C<google-chrome>
identity/profile and use that for your
No matter what identity you use, you may want
to erase the cookies and history of C<google-chrome>
upon its exit. That's a good practice.
as L<WWW::Mechanize::Chrome::DOMops> callbacks if
it is taken from 3rd-party, human or not, e.g. ChatGPT.
Additionally, make sure that the current
installation of L<WWW::Mechanize::Chrome::DOMops>
code injected into it.