[GH-ISSUE #3471] Properly document how to "Drastically reduce security for profiles which need to open stuff in [browser name]"

gitea-mirror commented

2026-05-05 08:51:35 -06:00

Owner

Originally created by @ssokolow on GitHub (Jun 18, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3471

Regarding this:

Cannot open hyperlink with web browser using another application

It is recommended to copy-paste links from with application with the hyperlink into an already running web browser. This will always be the safest bet, allbeit not very user-friendly. See #2228 and #2047

I consider copy-pasting links from within the application an unacceptable workflow regression, even without the Qt bug in Kubuntu 16.05 LTS that causes clipboard functionality in Qt apps to die once uptime hits 50 days, and the paste URLs in #2228 time out, so I can't work from those.

Please consider providing proper documentation for what one must take into account when writing a custom "Firefox, locked down as far as can be done without compromising workflow" profile as a defense-in-depth strategy.

(At the moment, having no idea where I'm going wrong and I'm waffling between abandoning Firejail, using Rust to write an "expose Firefox remoting on the D-Bus session bus" daemon which could get launched alongside Firefox in its jail, or checking how onerous it would be to use Bubblewrap or locally-customized Flatpaks to achieve the desired effect.)

(My goal is to have apps, Firejail'd or not, using a Firejaild Firefox as an HTTP/HTTPS handler, and Firejail'd Firefox and Chromium using a Firejaild Deluge as a magnet link handler.)

EDIT: Sorry for the (repeated) typo in the old version of the previous paragraph. I'm not fully alert right now.

Originally created by @ssokolow on GitHub (Jun 18, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3471 Regarding this: > **Cannot open hyperlink with web browser using another application** > > It is recommended to copy-paste links from with application with the hyperlink into an already running web browser. This will always be the safest bet, allbeit not very user-friendly. See #2228 and #2047 I consider copy-pasting links from within the application an unacceptable workflow regression, even without the Qt bug in Kubuntu 16.05 LTS that causes clipboard functionality in Qt apps to die once uptime hits 50 days, and the paste URLs in #2228 time out, so I can't work from those. Please consider providing proper documentation for what one must take into account when writing a custom "Firefox, locked down as far as can be done without compromising workflow" profile as a defense-in-depth strategy. (At the moment, having no idea where I'm going wrong and I'm waffling between abandoning Firejail, using Rust to write an "expose Firefox remoting on the D-Bus session bus" daemon which could get launched alongside Firefox in its jail, or checking how onerous it would be to use Bubblewrap or locally-customized Flatpaks to achieve the desired effect.) (My goal is to have apps, Firejail'd or not, using a Firejaild Firefox as an HTTP/HTTPS handler, and Firejail'd Firefox and Chromium using a Firejaild Deluge as a magnet link handler.) **EDIT:** Sorry for the (repeated) typo in the old version of the previous paragraph. I'm not fully alert right now.

gitea-mirror added the

enhancement

sandbox-ipc

documentation

labels 2026-05-05 08:51:36 -06:00

gitea-mirror commented

2026-05-05 08:51:38 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Jun 18, 2020):

Offtopic:

causes clipboard functionality in Qt apps to die once uptime hits 50 days

There are kernel updates every single week with many security patches.
Please reboot your machine more often. 😉

@SkewedZeppelin commented on GitHub (Jun 18, 2020): Offtopic: > causes clipboard functionality in Qt apps to die once uptime hits 50 days There are kernel updates every single week with many security patches. Please reboot your machine more often. :wink:

gitea-mirror commented

2026-05-05 08:51:38 -06:00

Author

Owner

@ssokolow commented on GitHub (Jun 18, 2020):

I will as soon as I finish writing the improved tooling so it doesn't take me 15 minutes of acute time after each reboot and another ~15 of "diffuse waste" over the rest of the day whenever I have to rebuild my desktop session state after logging out.

(And no, "as soon as I finish writing the improved tooling" is not a joke. At the moment, the first thing in line for completion is something half-way between Leafpad and desktop sticky notes, which auto-saves, remembers all geometry and state for each window, and treats manually-specified filenames as optional. After that, maybe a Vim plugin which does something similar for open Vim windows without the workflow warts I see in existing options. ...neither of which are tools that get along with DE-level session-persistence functionality. Then probably something which jerry-rigs some smarter window-geometry persistence onto multi-window Firefox sessions using my prior experience using libwnck and python-xlib to write "non-desktop-specific window manager extensions". Having the budget for an SSD and a CPU faster than an Athlon II X2 270 would probably also help.)

@ssokolow commented on GitHub (Jun 18, 2020): I will as soon as I finish writing the improved tooling so it doesn't take me 15 minutes of acute time after each reboot and another ~15 of "diffuse waste" over the rest of the day whenever I have to rebuild my desktop session state after logging out. (And no, "as soon as I finish writing the improved tooling" is not a joke. At the moment, the first thing in line for completion is something half-way between Leafpad and desktop sticky notes, which auto-saves, remembers all geometry and state for each window, and treats manually-specified filenames as optional. After that, maybe a Vim plugin which does something similar for open Vim windows without the workflow warts I see in existing options. ...neither of which are tools that get along with DE-level session-persistence functionality. Then probably something which jerry-rigs some smarter window-geometry persistence onto multi-window Firefox sessions using my prior experience using libwnck and python-xlib to write "non-desktop-specific window manager extensions". Having the budget for an SSD and a CPU faster than an Athlon II X2 270 would probably also help.)

gitea-mirror commented

2026-05-05 08:51:40 -06:00

Author

Owner

@ghost commented on GitHub (Jun 18, 2020):

(At the moment, having no idea where I'm going wrong and I'm waffling between abandoning Firejail, using Rust to write an "expose Firefox remoting on the D-Bus session bus" daemon which could get launched alongside Firefox in its jail, or checking how onerous it would be to use Bubblewrap or locally-customized Flatpaks to achieve the desired effect.)

Perhaps exposing Firefox remoting on the D-Bus session bus can be integrated into the recent D-Bus work (see #3265, #3326 and #3406)?

@ghost commented on GitHub (Jun 18, 2020): > (At the moment, having no idea where I'm going wrong and I'm waffling between abandoning Firejail, using Rust to write an "expose Firefox remoting on the D-Bus session bus" daemon which could get launched alongside Firefox in its jail, or checking how onerous it would be to use Bubblewrap or locally-customized Flatpaks to achieve the desired effect.) Perhaps exposing Firefox remoting on the D-Bus session bus can be integrated into the recent D-Bus work (see #3265, #3326 and #3406)?

gitea-mirror commented

2026-05-05 08:51:41 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 19, 2020):

Assuming firefox is already running, I think it would look like this.

# IF HAS_WHITELIST
noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox/profiles.ini
read-only ${HOME}/.mozilla/firefox/profiles.ini
# ELSE
noblacklist ${HOME}/.mozilla
read-only ${HOME}/.mozilla
# FI

# IF DBUS_USER_NONE
ignore dbus-user none
dbus-user filter
dbus-user.talk org.mozilla.firefox.* // or own?
# ELIF DBUS_USER_FILTER
dbus-user.talk org.mozilla.firefox.* // or own?
# FI

# IF HAS_PRIVATE_BIN
private-bin firefox,bash,sh,mkdir,…
# FI

# IF HAS_PRIVATE_LIB
private-lib mozilla
# FI

@rusty-snake commented on GitHub (Jun 19, 2020): Assuming firefox is already running, I think it would look like this. ``` # IF HAS_WHITELIST noblacklist ${HOME}/.mozilla whitelist ${HOME}/.mozilla/firefox/profiles.ini read-only ${HOME}/.mozilla/firefox/profiles.ini # ELSE noblacklist ${HOME}/.mozilla read-only ${HOME}/.mozilla # FI # IF DBUS_USER_NONE ignore dbus-user none dbus-user filter dbus-user.talk org.mozilla.firefox.* // or own? # ELIF DBUS_USER_FILTER dbus-user.talk org.mozilla.firefox.* // or own? # FI # IF HAS_PRIVATE_BIN private-bin firefox,bash,sh,mkdir,… # FI # IF HAS_PRIVATE_LIB private-lib mozilla # FI ```

gitea-mirror commented

2026-05-05 08:51:42 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 19, 2020):

The customizations differ between firefox-x11 and firefox-wayland.

@rusty-snake commented on GitHub (Jun 19, 2020): The customizations differ between firefox-x11 and firefox-wayland.

gitea-mirror commented

2026-05-05 08:51:44 -06:00

Author

Owner

@ssokolow commented on GitHub (Jun 21, 2020):

Sorry for not responding. I've been sleeping terribly the last couple of days, so I haven't done anything with Firejail.

I'll give you a proper response as soon as I'm in a proper state of mind again.

@ssokolow commented on GitHub (Jun 21, 2020): Sorry for not responding. I've been sleeping terribly the last couple of days, so I haven't done anything with Firejail. I'll give you a proper response as soon as I'm in a proper state of mind again.

gitea-mirror commented

2026-05-05 08:51:45 -06:00

Author

Owner

@ssokolow commented on GitHub (Jun 24, 2020):

...and now I'm getting signs of impending hardware failure, so I need to deal with that before I can respond.

@ssokolow commented on GitHub (Jun 24, 2020): ...and now I'm getting signs of impending hardware failure, so I need to deal with that before I can respond.

gitea-mirror commented

2026-05-05 08:51:46 -06:00

Author

Owner

@ghost commented on GitHub (Jul 23, 2020):

@ssokolow Hoping you're okay, including the hardware. As a FYI I've recently put together a few basic shell scripts to open stuff in a firejailed web browser that might be helpful/inspirational. See this for more context.

@ghost commented on GitHub (Jul 23, 2020): @ssokolow Hoping you're okay, including the hardware. As a FYI I've recently put together a few basic shell scripts to open stuff in a firejailed web browser that might be helpful/inspirational. See [this](https://github.com/netblue30/firejail/issues/2228#issuecomment-436518756) for more context.

gitea-mirror commented

2026-05-05 08:51:47 -06:00

Author

Owner

@ssokolow commented on GitHub (Jul 24, 2020):

Better than I was before.

My sleep is still on and off, and I still have to finish with the hardware work, but I've made sure the backups of everything on the potentially failing drive are up to date and viable, ordered and received the replacement hardware (I'm taking the opportunity to expand my storage and finally get an SSD), and I'm now just making preparations to get my upgrade from Kubuntu 16.04 LTS to 20.04 LTS done as part of the hardware upgrade to save time and effort.

@ssokolow commented on GitHub (Jul 24, 2020): Better than I was before. My sleep is still on and off, and I still have to finish with the hardware work, but I've made sure the backups of everything on the potentially failing drive are up to date and viable, ordered and received the replacement hardware (I'm taking the opportunity to expand my storage and finally get an SSD), and I'm now just making preparations to get my upgrade from Kubuntu 16.04 LTS to 20.04 LTS done as part of the hardware upgrade to save time and effort.

gitea-mirror referenced this issue

2026-05-05 10:15:46 -06:00

[PR #2180] [MERGED] Create artha.profile #4208

Rows
Columns

[GH-ISSUE #3471] Properly document how to "Drastically reduce security for profiles which need to open stuff in [browser name]" #2180