From https://github.com/puppeteer/puppeteer/tree/main/docker#readme
Running the image
puppeteer-chrome puppeteer-chrome-linux node -e "`cat test.js`" ``` `--cap-add=SYS_ADMIN` capability is needed to enable Chromium sandbox that makes the browser more secure. Alternatively, it should be possible to start the browser binary with the `--no-sandbox` flag.
However Why is granting the SYS_ADMIN privilege for a Docker container "bad"? answers:
This is basically [gives] root access to the host.
- Is there a way to run that image securely without giving docker --cap-add=SYS_ADMIN ?
As far as I understand, that is required for making SandBox, maybe there is other way, or
- If it is guaranteed, that locally generated files are passed to Chrome, will it be secure to disable SandBox (particular case question) ?
Frankly, it is laugh, that to make SandBox for safer web browsing, the used docker image is given root access, so a browser application with all possible browser-side security risks is now granted elevated permissions. I am sure browser app must be give the least access possible (for browsing Internet/html files).
