- Puppeteer should preferably use the built-in sandbox (ie. do not set --no-sandbox, -disable-setuid-sandbox options). If that's not possible, the reasons should be documented. If it's not possible and other sandboxing is possible (e.g. firejail), we should look into that.
- Puppeteer should properly verify SSL certs; the ignoreHTTPSErrors probably disables that (if not, a reassuring comment would be good). If that's not possible, the reasons should be documented.
- Document the use of --ignoreHTTPSErrors flag
- Document the use of --no-sandbox flag and the firejail sandboxing in the project page or wikitech docs