search

alvarcarto / url-to-pdf-api

Web page PDF/PNG rendering done right. Self-hosted service for rendering receipts, invoices, or any content.
MIT License
7.01k stars 774 forks source link

Remove '--no-sandbox --disable-setuid-sandbox' flags #39

Closed aarohmankad closed 6 years ago

aarohmankad commented 6 years ago

Removing these options due to Chrome vulnerability. See GoogleChrome/puppeteer#290.

This PR is probably not mergeable immediately, as there need to be some changes to our Heroku box. Could someone with access take a look at it?

kimmobrunfeldt commented 6 years ago

Thanks for pushing the removal of these flags. To make it complete, we'd need to make Chromium work with sandbox in Heroku. We're using this buildpack to install needed dependencies for Chromium into Heroku.

You can also deploy this app to Heroku for free, you just need an account. The easiest way to get started is to click the Deploy to Heroku button in readme. It will guide you through.

To Chromium with sandbox running correcly inside Heroku, I think we need to do at least:

  1. Install all dependencies needed for sandbox and Chromium (see https://github.com/GoogleChrome/puppeteer/blob/master/docs/troubleshooting.md#running-puppeteer-in-docker as an example). Buildpack is already doing most of this I think.
  2. Disable puppeteer's automatic Chromium downloading with PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true
  3. Launch browser with the separately downloaded Chromium binary
  4. Make sure Heroku is running another user then root. Apparently root is causing problems with sandbox.
  5. Make sure all of this is not hurting the local development experience
kimmobrunfeldt commented 6 years ago

Closing due to inactivity. It wasn't merged because of the above reasons.