fix: remove unnecessary security-disabling Puppeteer flags

daniel-lxs · daniel-lxs · commit ba8b8d8e0caa · 2025-06-27T18:16:51.000-05:00
- Removed --disable-web-security flag that bypasses CORS and CSP
- Removed --no-sandbox flag that disables Chrome's security sandbox
- Removed --disable-setuid-sandbox flag that weakens process isolation

These flags were not necessary for resolving the URL loading timeout issues
and introduced significant security risks. The timeout issues are better
addressed through the increased timeouts and retry logic already in the PR.
diff --git a/src/services/browser/UrlContentFetcher.ts b/src/services/browser/UrlContentFetcher.ts
@@ -52,14 +52,10 @@ export class UrlContentFetcher {
 		this.browser = await stats.puppeteer.launch({
 			args: [
 				"--user-agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36",
-				"--no-sandbox",
-				"--disable-setuid-sandbox",
 				"--disable-dev-shm-usage",
 				"--disable-accelerated-2d-canvas",
 				"--no-first-run",
-				"--no-zygote",
 				"--disable-gpu",
-				"--disable-web-security",
 				"--disable-features=VizDisplayCompositor",
 			],
 			executablePath: stats.executablePath,
