I'd like to talk about potential security risk about chromeless-playground.
Chromeless-playground is a great demo app of chromeless. However I found some potential security risks may cause economical losses through malicious abuse.
I found it is possible to access some sensitive data like REDIS_HOST and REDIS_PASSWORD. Beside that, I found your team use AWS service for redis.
There's a possibility that someone could insert a large quantity of data into redis which will jamming the site and cause incredible sums on the AWS bills.
Separate main script environment from scripts parsed from user may solve this problem.
Best wishes
I'd like to talk about potential security risk about chromeless-playground. Chromeless-playground is a great demo app of chromeless. However I found some potential security risks may cause economical losses through malicious abuse. I found it is possible to access some sensitive data like REDIS_HOST and REDIS_PASSWORD. Beside that, I found your team use AWS service for redis. There's a possibility that someone could insert a large quantity of data into redis which will jamming the site and cause incredible sums on the AWS bills. Separate main script environment from scripts parsed from user may solve this problem. Best wishes