[omneity]

Exposing Chrome CDP is a terrible idea from a security and privacy perspective. You get the keys to the whole kingdom (and expose them on a standard port with a well documented API). All security features of the web can be bypassed, and then some, as CDP exposes even more capabilities than chrome extensions and without any form of supervision.

[redblacktree]

You're talking about exposing Chrome CDP to the wider internet, right? Or are you highlighting these dangers in the local context?

[omneity]

In the local context as well. Unlike say the docker socket which is protected by default using unix permissions, the CDP protocol has no authorization, authentication or permission mechanism.

Anything on your machine (such as a rogue browser extension or a malicious npm/pypi package) could scan for this and just get all your cookies - and that's only the beginning of your problems.

CDP can access any origin, any data stored (localStorage, indexedDB ...), any javascript heap, cross iframe and origin boundaries, run almost undetectable code that uses your sessions without you knowing, and the list is very long. CDP was never meant to expose a real browser in an untrusted context.