I think the use-case is that the user is running their headless browser on a remote server with a good internet connection. Then they open an SSH tunnel to that server from their local machine which has low bandwidth--and the only thing that needs to be received by the local machine is the browsh rendering of the webpage.
If you weren’t the fine upstanding person you are, you’d have all the web traffic of users at your disposal: banking, secure interactions with healthcare providers, credentials to Hacker News, the whole nine yards.
With access to my email, you could probably reset a handful of my passwords to various services that don’t support dual factor auth, and you could probably discover what services I subscribe to.
I mean, I wouldn’t want you to have access to my email, but I would much rather that than a permanent man-in-the-middle web client.
It should be quite doable to spin up a container/VM on demand. I'd probably look at lxd/lxc or bsd jails for this (both with zfs for storage) - or if there now are any real ways to run containers under hw virtualization - maybe that.
I don't think I'd look too hard at lxd or freebsd as you already have a docker setup.
But hw isolation might be worth investigating - as others are saying - hostile access to a web browser, including webmail etc - is pretty dangerous. And plain docker never had a good story wrt secure isolation.
Apparently there was "hypernetes", now stackube - for combining VM runtime and kubernetes:
As for lxd/freebsd jails and zfs - both offer very nice and easy to grasp environment for isolated services - and both should end a little more isolated than a typicaldocker setup (some services running as root in container, no additional lxc restrictions).
But all things considered, if you already have k8/docker set up to give every user a separate, possibly ephemeral container... Infrastructure is probably not where I'd devote most time. It should work well enough as is.
Now that you describe it, yes indeed I can see the problems. I can't think of any other precedent, as most other proxies are least protected by HTTPS, wheres a Browsh service is literally reading every character on a page in plain text! So there's need to be a great deal of trust. I wonder if it's just too much to ask of people, especially where money is involved.
