=head1 SECURITY WARNING
L<WWW::Mechanize::Chrome> invokes an instance of C<google-chrome>
on behalf of the current user. Headless or not, C<google-chrome>
is invoked. And it carries along all its current history, cookie jar,
passwords stored, configuration settings, etc.
I will repeat this: L<WWW::Mechanize::Chrome> invokes
C<google-chrome> which may remember history, passwords, cookies
that the current user has accumulated when using
C<google-chrome> for their private surfing earlier.
Additionally, L<WWW::Mechanize::Chrome::DOMops> executes
javascript code on that C<google-chrome> instance.
I mean internally with javascript code hardcoded
into the module's packages.
On top of that L<WWW::Mechanize::Chrome::DOMops> allows
for B<user-specified javascript code> to be executed on
that C<google-chrome> instance. For example the callbacks
on each element found, etc.
This is an example of what can go wrong:
You have just used C<google-chrome> to access your
yahoo webmail and you did not logout.
So, there will be an
access cookie in the C<google-chrome> when you later
invoke it via L<WWW::Mechanize::Chrome>.
If you allow
unchecked user-specified (or copy-pasted from ChatGPT)
javascript code in
L<WWW::Mechanize::Chrome::DOMops>'s
C<find()>, C<zap()>, etc. then it is, theoretically,
possible that this javascript code
initiates an XHR to yahoo and fetch your emails and
pass them on to your perl code.
Another issue is with the saved passwords and
the browser's auto-fill when landing on a login form.
It is advised not to invoke (via L<WWW::Mechanize::Chrome>)
C<google-chrome> with your
current/usual/everyday/email-access/bank-access
identity so that it does not have access to
your cookies, passwords, history etc. So,
it is better to create a harmless C<google-chrome>
identity/profile and use that for your
C<WWW::Mechanize::Chrome::DOMops> needs.
No matter what identity you use, you may want
to erase the cookies and history of C<google-chrome>
upon its exit. That's a good practice.
It is also advised to review javascript code you provide
as L<WWW::Mechanize::Chrome::DOMops> callbacks if
it is taken from 3rd-party, human or not, e.g. ChatGPT.
Additionally, make sure that the current
installation of L<WWW::Mechanize::Chrome::DOMops>
in your system is not compromised with malicious javascript
code injected into it.
|