[GH-ISSUE #4882] firefox: cannot play Netflix/widevine with VPN on #2797

New issue

Open

opened 2026-05-05 09:27:12 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented 2026-05-05 09:27:12 -06:00

Owner

Copy link

Originally created by @bhepple on GitHub (Jan 27, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4882

Description

I have a VPN running which interferes with running Netflix in firefox so I want to use firejail to side-step the VPN but have other programs running under the VPN. I can run Netflix in firefox as normal without the VPN in operation.

Steps to Reproduce

firejail --name=NOVPN --net=wlp3s0 --defaultgw=192.168.0.1 firefox --no-remote -P netflix https://www.netflix.com/au

... the home page loads but when I play a movie, I always get Netflix error code F7702-1003 ie it refuses to play (widevine problem? I sometimes get a "widevine crashed" message)

I tried implementing https://github.com/netblue30/firejail/issues/799 (commenting out caps.drop etc in firefox-common.profile). Running the same command, I get the same result.

I've also tried this with the same result:

firejail --ignore='noexec ${HOME}' --noprofile --name=NOVPN --net=wlp3s0 --defaultgw=192.168.0.1 firefox --no-remote -P netflix https://www.netflix.com/au

From https://github.com/netblue30/firejail/issues/3681, I tried this in /etc/firejail/firejail.config:

browser-allow-drm yes
browser-disable-u2f no

But I get the same result

Expected behavior

Play movies

Actual behavior

Widevine crashes; movies don't play; Netflix error code F7702-1003

Simple sites such as http://www.bom.gov.au/products/IDR662.loop.shtml work fine.

Behavior without a profile

Same

Additional context

Environment

fedora f34
Linux achar 5.15.14-100.fc34.x86_64 #1 SMP Tue Jan 11 16:53:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
firejail version 0.9.64.4

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
• I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of firejail --name=NOVPN --net=wlp3s0 --defaultgw=192.168.0.1 firefox --no-remote -P netflix https://www.netflix.com/au

$ firejail --name=NOVPN --net=wlp3s0 --defaultgw=192.168.0.1 firefox --no-remote -P netflix https://www.netflix.com/au 
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 397001, child pid 397004

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP    
eth0-397001      ac:72:89:33:cc:2d  192.168.0.245    255.255.255.0    UP    
Default gateway 192.168.0.1

Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 1363.41 ms

###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv


###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv


###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv


###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv


###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv


###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv


###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv


###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv

[Parent 15, IPC I/O Parent] WARNING: FileDescriptorSet destroyed with unconsumed descriptors: file /builddir/build/BUILD/firefox-95.0.2/ipc/chromium/src/chrome/common/file_descriptor_set_posix.cc:19

###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost


Parent is shutting down, bye...

---

EDIT by @rusty-snake: Fixed markdown checklist formatting; Fixed details tag.

Originally created by @bhepple on GitHub (Jan 27, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/4882 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description I have a VPN running which interferes with running Netflix in firefox so I want to use firejail to side-step the VPN but have other programs running under the VPN. I can run Netflix in firefox as normal without the VPN in operation. ### Steps to Reproduce firejail --name=NOVPN --net=wlp3s0 --defaultgw=192.168.0.1 firefox --no-remote -P netflix https://www.netflix.com/au ... the home page loads but when I play a movie, I always get Netflix error code F7702-1003 ie it refuses to play (widevine problem? I sometimes get a "widevine crashed" message) I tried implementing [https://github.com/netblue30/firejail/issues/799](https://github.com/netblue30/firejail/issues/799) (commenting out caps.drop etc in firefox-common.profile). Running the same command, I get the same result. I've also tried this with the same result: firejail --ignore='noexec ${HOME}' --noprofile --name=NOVPN --net=wlp3s0 --defaultgw=192.168.0.1 firefox --no-remote -P netflix https://www.netflix.com/au From [https://github.com/netblue30/firejail/issues/3681](https://github.com/netblue30/firejail/issues/3681), I tried this in /etc/firejail/firejail.config: browser-allow-drm yes browser-disable-u2f no But I get the same result ### Expected behavior Play movies ### Actual behavior Widevine crashes; movies don't play; Netflix error code F7702-1003 Simple sites such as [http://www.bom.gov.au/products/IDR662.loop.shtml](http://www.bom.gov.au/products/IDR662.loop.shtml) work fine. ### Behavior without a profile Same ### Additional context ### Environment fedora f34 Linux achar 5.15.14-100.fc34.x86_64 #1 SMP Tue Jan 11 16:53:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux firejail version 0.9.64.4 ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <p> <details> <summary>Output of <code>firejail --name=NOVPN --net=wlp3s0 --defaultgw=192.168.0.1 firefox --no-remote -P netflix https://www.netflix.com/au </code></summary> <p> ``` $ firejail --name=NOVPN --net=wlp3s0 --defaultgw=192.168.0.1 firefox --no-remote -P netflix https://www.netflix.com/au Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 397001, child pid 397004 Interface MAC IP Mask Status lo 127.0.0.1 255.0.0.0 UP eth0-397001 ac:72:89:33:cc:2d 192.168.0.245 255.255.255.0 UP Default gateway 192.168.0.1 Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 1363.41 ms ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv [Parent 15, IPC I/O Parent] WARNING: FileDescriptorSet destroyed with unconsumed descriptors: file /builddir/build/BUILD/firefox-95.0.2/ipc/chromium/src/chrome/common/file_descriptor_set_posix.cc:19 ###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost Parent is shutting down, bye... ``` </p> </details> --- EDIT by @rusty-snake: Fixed markdown checklist formatting; Fixed details tag.

gitea-mirror added the

networking

label 2026-05-05 09:27:12 -06:00

gitea-mirror commented 2026-05-05 09:27:14 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Jan 27, 2022):

Open two terminals and in one run sudo journalctl -f -g seccomp, then in the other start Firefox with Firejail option --seccomp-error-action=log added. Does that work? If it does, what messages are printed to the journal?

Something else worth trying could be to run Firejail with --ignore=whitelist and/or --ignore=blacklist (only to debug this issue, the resulting sandbox will be very weak).

<!-- gh-comment-id:1023343503 --> @smitsohu commented on GitHub (Jan 27, 2022): Open two terminals and in one run `sudo journalctl -f -g seccomp`, then in the other start Firefox with Firejail option `--seccomp-error-action=log` added. Does that work? If it does, what messages are printed to the journal? Something else worth trying could be to run Firejail with `--ignore=whitelist` and/or `--ignore=blacklist` (only to debug this issue, the resulting sandbox will be very weak).

gitea-mirror commented 2026-05-05 09:27:15 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Jan 27, 2022):

I should read more carefully. You already tried

firejail --ignore='noexec ${HOME}' --noprofile --name=NOVPN --net=wlp3s0 --defaultgw=192.168.0.1 firefox --no-remote -P netflix https://www.netflix.com/au

It is broken despite --noprofile, so you should disregard my comment above. Seems that widevine indeed doesn't like something about the network setup.

<!-- gh-comment-id:1023362639 --> @smitsohu commented on GitHub (Jan 27, 2022): I should read more carefully. You already tried `firejail --ignore='noexec ${HOME}' --noprofile --name=NOVPN --net=wlp3s0 --defaultgw=192.168.0.1 firefox --no-remote -P netflix https://www.netflix.com/au` It is broken despite `--noprofile`, so you should disregard my comment above. Seems that widevine indeed doesn't like something about the network setup.

gitea-mirror commented 2026-05-05 09:27:16 -06:00

Author

Owner

Copy link

@bhepple commented on GitHub (Jan 28, 2022):

Nothing exotic in my network config - it's just a simple laptop on a wireless connection, running nordvpn:

$ ip r
0.0.0.0/1 via 10.8.2.4 dev tun0 
default via 192.168.0.1 dev wlp3s0 proto dhcp metric 600 
10.8.2.0/24 dev tun0 proto kernel scope link src 10.8.2.4 
103.1.212.99 via 192.168.0.1 dev wlp3s0 
128.0.0.0/1 via 10.8.2.4 dev tun0 
192.168.0.0/24 dev wlp3s0 proto kernel scope link src 192.168.0.108 metric 600 

$ firejail --noprofile  --name=NOVPN --net=wlp3s0 --defaultgw=192.168.0.1 ip r
Parent pid 773461, child pid 773462

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP    
eth0-773461      ac:72:89:33:cc:2d  192.168.0.122    255.255.255.0    UP    
Default gateway 192.168.0.1

Child process initialized in 1090.93 ms
default via 192.168.0.1 dev eth0-773461 
192.168.0.0/24 dev eth0-773461 proto kernel scope link src 192.168.0.122 

Parent is shutting down, bye...

$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

$ nslookup bbc.co.uk
Server:		103.86.96.100
Address:	103.86.96.100#53

Non-authoritative answer:
Name:	bbc.co.uk
Address: 151.101.0.81
Name:	bbc.co.uk
Address: 151.101.64.81
Name:	bbc.co.uk
Address: 151.101.128.81
Name:	bbc.co.uk
Address: 151.101.192.81
Name:	bbc.co.uk
Address: 2a04:4e42::81
Name:	bbc.co.uk
Address: 2a04:4e42:200::81
Name:	bbc.co.uk
Address: 2a04:4e42:400::81
Name:	bbc.co.uk
Address: 2a04:4e42:600::81

$ firejail --noprofile  --name=NOVPN --net=wlp3s0 --defaultgw=192.168.0.1 nslookup bbc.co.uk
Parent pid 773968, child pid 773969

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP    
eth0-773968      ac:72:89:33:cc:2d  192.168.0.52     255.255.255.0    UP    
Default gateway 192.168.0.1

Child process initialized in 1097.91 ms
Server:		103.86.96.100
Address:	103.86.96.100#53

Non-authoritative answer:
Name:	bbc.co.uk
Address: 151.101.192.81
Name:	bbc.co.uk
Address: 151.101.64.81
Name:	bbc.co.uk
Address: 151.101.0.81
Name:	bbc.co.uk
Address: 151.101.128.81

<!-- gh-comment-id:1023830543 --> @bhepple commented on GitHub (Jan 28, 2022): Nothing exotic in my network config - it's just a simple laptop on a wireless connection, running nordvpn: ``` $ ip r 0.0.0.0/1 via 10.8.2.4 dev tun0 default via 192.168.0.1 dev wlp3s0 proto dhcp metric 600 10.8.2.0/24 dev tun0 proto kernel scope link src 10.8.2.4 103.1.212.99 via 192.168.0.1 dev wlp3s0 128.0.0.0/1 via 10.8.2.4 dev tun0 192.168.0.0/24 dev wlp3s0 proto kernel scope link src 192.168.0.108 metric 600 ``` ``` $ firejail --noprofile --name=NOVPN --net=wlp3s0 --defaultgw=192.168.0.1 ip r Parent pid 773461, child pid 773462 Interface MAC IP Mask Status lo 127.0.0.1 255.0.0.0 UP eth0-773461 ac:72:89:33:cc:2d 192.168.0.122 255.255.255.0 UP Default gateway 192.168.0.1 Child process initialized in 1090.93 ms default via 192.168.0.1 dev eth0-773461 192.168.0.0/24 dev eth0-773461 proto kernel scope link src 192.168.0.122 Parent is shutting down, bye... ``` ``` $ sudo iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ``` ``` $ nslookup bbc.co.uk Server: 103.86.96.100 Address: 103.86.96.100#53 Non-authoritative answer: Name: bbc.co.uk Address: 151.101.0.81 Name: bbc.co.uk Address: 151.101.64.81 Name: bbc.co.uk Address: 151.101.128.81 Name: bbc.co.uk Address: 151.101.192.81 Name: bbc.co.uk Address: 2a04:4e42::81 Name: bbc.co.uk Address: 2a04:4e42:200::81 Name: bbc.co.uk Address: 2a04:4e42:400::81 Name: bbc.co.uk Address: 2a04:4e42:600::81 ``` ``` $ firejail --noprofile --name=NOVPN --net=wlp3s0 --defaultgw=192.168.0.1 nslookup bbc.co.uk Parent pid 773968, child pid 773969 Interface MAC IP Mask Status lo 127.0.0.1 255.0.0.0 UP eth0-773968 ac:72:89:33:cc:2d 192.168.0.52 255.255.255.0 UP Default gateway 192.168.0.1 Child process initialized in 1097.91 ms Server: 103.86.96.100 Address: 103.86.96.100#53 Non-authoritative answer: Name: bbc.co.uk Address: 151.101.192.81 Name: bbc.co.uk Address: 151.101.64.81 Name: bbc.co.uk Address: 151.101.0.81 Name: bbc.co.uk Address: 151.101.128.81 ```

gitea-mirror commented 2026-05-05 09:27:16 -06:00

Author

Owner

Copy link

@leukimi commented on GitHub (Aug 7, 2024):

Same kind of "issue" on openSUSE Tumbleweed with firejail v0.9.72.

The solution is:

sudo sed -i 's/# browser-allow-drm no/browser-allow-drm yes/g' /etc/firejail/firejail.config

If you prefer a patch for more clarity:

--- /etc/firejail/firejail.config.orig
+++ /etc/firejail/firejail.config
@@ -20,7 +20,7 @@
 # bind yes
 
 # Allow (DRM) execution in browsers, default disabled.
-# browser-allow-drm no
+browser-allow-drm yes
 
 # Disable U2F in browsers, default enabled.
 # browser-disable-u2f yes

Maybe it would help if someone could explain why this option is disabled by default and why it is not possible to add the option locally in $HOME/.config/firejail/firefox.local without messing with system files belonging to a package.

<!-- gh-comment-id:2274249960 --> @leukimi commented on GitHub (Aug 7, 2024): Same kind of "issue" on openSUSE Tumbleweed with firejail v0.9.72. The solution is: `sudo sed -i 's/# browser-allow-drm no/browser-allow-drm yes/g' /etc/firejail/firejail.config` If you prefer a patch for more clarity: ``` --- /etc/firejail/firejail.config.orig +++ /etc/firejail/firejail.config @@ -20,7 +20,7 @@ # bind yes # Allow (DRM) execution in browsers, default disabled. -# browser-allow-drm no +browser-allow-drm yes # Disable U2F in browsers, default enabled. # browser-disable-u2f yes ``` Maybe it would help if someone could explain why this option is disabled by default and why it is not possible to add the option locally in `$HOME/.config/firejail/firefox.local` without messing with system files belonging to a package.

gitea-mirror commented 2026-05-05 09:27:18 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 7, 2024):

Moved to #6434

<!-- gh-comment-id:2274291491 --> @rusty-snake commented on GitHub (Aug 7, 2024): Moved to #6434

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2797

No description provided.