Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
playwright-core
Advanced tools
The playwright-core npm package is a library that provides a high-level API to control headless Chrome, Firefox, and WebKit with a single API. It is designed for automating web browser interactions for the purposes of web scraping, automated testing, and web automation.
Browser Automation
Automate browser actions such as opening pages, clicking on elements, and navigating websites.
const { chromium } = require('playwright-core');
(async () => {
const browser = await chromium.launch();
const page = await browser.newPage();
await page.goto('https://example.com');
// other actions...
await browser.close();
})();
Web Scraping
Extract data from web pages by navigating to them and retrieving the content.
const { firefox } = require('playwright-core');
(async () => {
const browser = await firefox.launch();
const page = await browser.newPage();
await page.goto('https://example.com');
const data = await page.content();
// process data...
await browser.close();
})();
Automated Testing
Perform automated tests on web applications by simulating user interactions and verifying page content.
const { webkit } = require('playwright-core');
(async () => {
const browser = await webkit.launch();
const page = await browser.newPage();
await page.goto('https://example.com');
const title = await page.title();
console.assert(title === 'Expected Page Title');
await browser.close();
})();
Puppeteer is a Node library which provides a high-level API over the Chrome DevTools Protocol. It is similar to playwright-core but was initially designed specifically for Chrome and later added support for Firefox. Puppeteer is developed by the Chrome DevTools team.
Selenium WebDriver is one of the most well-known browser automation tools. It supports multiple browsers and is language-agnostic, making it a popular choice for end-to-end testing. Unlike playwright-core, Selenium requires separate drivers for each browser and might be slower in execution.
Cypress is a front-end testing tool built for the modern web. It is both a library for writing tests and a test runner that executes the tests. Cypress offers a unique interactive test runner that allows you to see commands as they execute while also viewing the application under test. It differs from playwright-core in that it is primarily focused on testing and offers a more integrated testing experience.
Playwright is a Node library to automate the Chromium, WebKit and Firefox browsers with a single API. It enables cross-browser web automation that is ever-green, capable, reliable and fast.
ver | Linux | macOS | Win | |
---|---|---|---|---|
Chromium | 82.0.4057.0 | :white_check_mark: | :white_check_mark: | :white_check_mark: |
WebKit | 13.0.4 | :white_check_mark: | :white_check_mark: | :white_check_mark: |
Firefox | 73.0b13 | :white_check_mark: | :white_check_mark: | :white_check_mark: |
Our primary goal with Playwright is to improve automated UI testing by eliminating flakiness, improving the speed of execution and offering insights into the browser operation.
npm i playwright
This installs Playwright along with its dependencies and the browser binaries. Browser binaries are about 50-100MB each, so expect the installation network traffic to be substantial.
Playwright can be used to create a browser instance, open pages, and then manipulate them. See API docs for a comprehensive list.
This code snippet navigates to whatsmyuseragent.org in Chromium, Firefox and WebKit, and saves 3 screenshots.
const playwright = require('playwright');
(async () => {
for (const browserType of ['chromium', 'firefox', 'webkit']) {
const browser = await playwright[browserType].launch();
const context = await browser.newContext();
const page = await context.newPage();
await page.goto('http://whatsmyuseragent.org/');
await page.screenshot({ path: `example-${browserType}.png` });
await browser.close();
}
})();
This snippet emulates Mobile Safari on a device at a given geolocation, navigates to maps.google.com, performs action and takes a screenshot.
const { webkit, devices } = require('playwright');
const iPhone11 = devices['iPhone 11 Pro'];
(async () => {
const browser = await webkit.launch();
const context = await browser.newContext({
viewport: iPhone11.viewport,
userAgent: iPhone11.userAgent,
geolocation: { longitude: 12.492507, latitude: 41.889938 },
permissions: { 'https://www.google.com': ['geolocation'] }
});
const page = await context.newPage();
await page.goto('https://maps.google.com');
await page.click('text="Your location"');
await page.waitForRequest(/.*preview\/pwa/);
await page.screenshot({ path: 'colosseum-iphone.png' });
await browser.close();
})();
And here is the same script for Chrome on Android.
const { chromium, devices } = require('playwright');
const pixel2 = devices['Pixel 2'];
(async () => {
const browser = await chromium.launch();
const context = await browser.newContext({
viewport: pixel2.viewport,
userAgent: pixel2.userAgent,
geolocation: { longitude: 12.492507, latitude: 41.889938 },
permissions: { 'https://www.google.com': ['geolocation'] }
});
const page = await context.newPage();
await page.goto('https://maps.google.com');
await page.click('text="Your location"');
await page.waitForRequest(/.*pwa\/net.js.*/);
await page.screenshot({ path: 'colosseum-android.png' });
await browser.close();
})();
This code snippet navigates to example.com in Firefox, and executes a script in the page context.
const { firefox } = require('playwright');
(async () => {
const browser = await firefox.launch();
const context = await browser.newContext();
const page = await context.newPage();
await page.goto('https://www.example.com/');
const dimensions = await page.evaluate(() => {
return {
width: document.documentElement.clientWidth,
height: document.documentElement.clientHeight,
deviceScaleFactor: window.devicePixelRatio
}
})
console.log(dimensions);
await browser.close();
})();
Check out our contributing guide.
Yes, you can. See Browser in the API reference for the common set of APIs across Chromium, Firefox and WebKit. A small set of features are specific to browsers, for example see ChromiumBrowser.
Puppeteer is a Node library which provides a high-level API to control Chrome or Chromium over the DevTools Protocol. Puppeteer project is active and is maintained by Google.
We are the same team that originally built Puppeteer at Google, but has since then moved on. Puppeteer proved that there is a lot of interest in the new generation of ever-green, capable and reliable automation drivers. With Playwright, we'd like to take it one step further and offer the same functionality for all the popular rendering engines. We'd like to see Playwright vendor-neutral and shared governed.
With Playwright, we are making the APIs more testing-friendly as well. We are taking the lessons learned from Puppeteer and incorporate them into the API, for example, user agent / device emulation is set up consistently on the BrowserContext
level to enable multi-page scenarios, click
waits for the element to be available and visible by default, there is a way to wait for network and other events, etc.
Playwright also aims at being cloud-native. Rather than a single page, BrowserContext
abstraction is now central to the library operation. BrowserContext
s are isolated, they can be either created locally or provided as a service.
All the changes and improvements above would require breaking changes to the Puppeteer API, so we chose to start with a clean slate instead. Due to the similarity of the concepts and the APIs, migration between the two should be a mechanical task.
We recognize WebDriver as a universal standard for the web automation and testing. At the same time we were excited to see Puppeteer affect the WebDriver agenda, steer it towards the bi-directional communication channel, etc. We hope that Playwright can take it further and pioneer support for numerous PWA features across the browsers as they emerge:
[capabilities] With Playwright, we aim at providing a more capable driver, including support for mobile viewports, touch, web & service workers, geolocation, csp, cookie policies, permissions, accessibility, etc.
[ergonomics] We continue the trend set with Puppeteer and provide ergonomically-sound APIs for frames, workers, handles, etc.
[reliability] With Playwright, we encourage setTimeout
-free automation. The notion of the wall time is incompatible with the operation in the cloud / CI. It is a major source of flakiness and pain and we would like to provide an alternative. With that, Playwright aims at providing sufficient amount of events based on the browser instrumentation to make it possible.
Playwright does not patch the rendering engines. It either uses stock versions of the browsers (Chromium) or extends remote debugging protocols of the respective browsers (WebKit, Firefox) for better automation. There are no changes to the actual rendering engines, network stacks, etc. Our browsers are as pure as they can be.
Chromium: Playwright uses upstream versions of Chromium. When we need changes in the browser, they go into the browser directly and then we roll our dependency to that version of Chromium. As of today, we update Chromium as needed or at least once a month. We plan to synchronize our npm release cycle with the Chromium stable channel cadence.
WebKit: Playwright extends WebKit
's remote debugging protocol to expose additional capabilities to the driver. There are no other changes to the rendering engine, it is pure WebCore
in WebKit2
engine. We strip debugging features from the WebKit's Minibrowser
embedder and make it work headlessly. We use WebKit2
in a modern process isolation mode, enable mobile viewport, touch and geolocation on non-iOS platforms to be as close to WebKit on non-iOS as one can be.
We continuously upload our patches to WebKit for upstream review and would like to switch to the upstream-first mode of operation once we land most critical changes. Before new extensions to the remote debugging hit upstream they can be found in the browser_patches/webkit
folder.
Firefox: Playwright makes a number of modifications to Firefox's debugging channel as well. Same as above, no changes to the rendering engine itself. Those are adding support for content script debugging, workers, CSP, emulation, network interception, etc. etc.
Similarly to WebKit, we'd like to offer all of those for review upstream, for now they can be found in the browser_patches/firefox
folder.
The new Microsoft Edge browser is based on Chromium, so Playwright supports it.
Playwright is ready for your feedback. It respects semver, so please expect some API breakages as we release 1.0. All we can promise is that those breakages are going to be based on your feedback with the sole purpose of making our APIs better.
Playwright is being actively developed as we get to the feature parity across Chromium, Firefox and WebKit. Progress on each browser can be tracked on the Is Playwright Ready? page, which shows currently failing tests per browser.
FAQs
A high-level API to automate web browsers
The npm package playwright-core receives a total of 9,585,354 weekly downloads. As such, playwright-core popularity was classified as popular.
We found that playwright-core demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.