why is "--no-sandbox" a unsafe arg in puppeteer?

Question

I've been having some issues to run puppeteer (and pyppeteer) in cloud. I found this "trick" as a solution, which works nice actually. but i've also seen people talking that is unsafe, and I can't really get why, mostly because I don't really understand what it does.

here goes some example:

const launchBrowser = async () => {
  puppetBrowser = await puppeteer.launch({
    args: ['--no-sandbox']
  });
};

_I've been having some issues to run puppeteer _ -- for completeness, you might want to briefly list what these issues are. You may [not actually need](https://meta.stackexchange.com/a/233676/399876) a sandbox. — ggorlen, Apr 08 '21 at 15:17

Christopher · Answer 1 · 2021-04-08T07:08:42.877

There is a very useful answer on stackexchange why sandboxes should be used. Overall the process sandbox just puts the process in some kind of jail on the OS and protects it more from other processes.

I was not sure I could post it as an answer as I did not specifically address "where vulnerability comes from" - and mere refs then own words. But anyhow –

Hopefully this shed some light on the topic of sandbox:

Quick introduction to Chrome's sandbox.

More in depth design document. With internal links to FAQ, etc.

And as stated, Google themselves recommend using another browser than using Chrome without sandbox. And then obviously understood as if one can fix it then that would be preferred ;)

(i updated the link here to the new source of the design document)

However, the sandbox feature may cause some trouble too. I for myself have trouble if i launch a chromium based application from a mounted NTFS partition in a directory (C:\somedir = \\hardisk2\partition1). Where turning it off, solves all challenges.

There are a lot of threads out there, where Steam for example "requires" the -no-cef-sandbox flag to display the web-content in several situations.

The cross origin-blocks or iframe-sandbox has nothing todo with the -no-sandbox flag. The cross origin blocks, are still active, even if you start the browser without the process sandbox. As you can see in this snippet. Just start a new session with -no-sandbox to proof it. Also keep in mind, that there is not even a sandbox flag on the iframe. (for example: chromium -incognito -no-sandbox https://stackoverflow.com/questions/66998228/why-is-no-sandbox-a-unsafe-arg-in-puppeteer)

window.accessChild = function(event) {
  try {
    this.contentWindow.document
  } catch (e) {
    alert(e.message);
  }
}

<iframe id="youtube" src="https://www.youtube.com/embed/4R-587BCu9k" onload="accessChild.call(this, event)"></iframe>

And you will get an alert with a cross origin access block.

why is "--no-sandbox" a unsafe arg in puppeteer?

1 Answers1