phantomjs --web-security=no -

in documentation phantomjs, there option turn off web security , allow xhr (cross domain requests).

does present security risk user if filling forms credentials such usernames , passwords , downloading screenshots casper/phantom?

maybe.

allowing cross domain xhr opens few attacks. e.g. see https://stackoverflow.com/a/7615287/841830. see is cors secure way cross-domain ajax requests?

but tends not come normal use cases phantom: whether testing own web site, or screen-scraping, tend go pre-decided urls , links, , not sending secret information, , not going tricked new , suspicious link. unlikely logged bank, or facebook, while testing site or scraping google search results. (but, if scraping google pages force sign google first, bit more careful - perhaps set dedicated gmail account scraping.)

so, in summary, attacks bit more obscure , unlikely, compared normal desktop browsing session, still there, use --web-security=no when script otherwise not work.