-
Notifications
You must be signed in to change notification settings - Fork 577
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature: add fireurl #5574
base: master
Are you sure you want to change the base?
feature: add fireurl #5574
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR seems to contain changes from #5571, which makes it harder to review.
This PR takes care of cleaning up the 'level 1 hacks' from the affected
profiles.
Instead of removing the existing methods for opening URLs and potentially
breaking user setups (especially this close to the release), I'd suggest only
whitelisting the socket and adding fireurl to private-bin for now.
Obviously there's more work to be done to bring in
fireurl
With just the changes mentioned above, maybe fireurl can work as an external
tool for now for whoever wants to try it, but I have concerns with regards to
adding it as is to this repository (I'll expand on this later on #5364, #5566
or maybe on a new discussion).
That's the thing though. User setups probably are already broken due to incomplete implementations of what was deemed necessary for allowing hyperlinks to be handled by a sandboxed Firefox. The whole point of migrating to a socket-driven approach like fireurl is to fix this and have a proper base from which to expand upon in the future. Like supporting more web browsers than Firefox, access control and path sanitization. Basically what is touched in #5364 for now. The draft status of the PR guarantees nothing will be changed as far as existing methods for URL handling is concerned. |
But was it already broken as of 0.9.70 or was it broken afterwards? Also, by "broken" do you mean "not working at all" or half-working (such as by I do remember seeing multiple issues about this over time, but I assumed that
To be clear, I'd personally also prefer a socket-based approach compared to
I don't understand what you mean. Is this not intended to be merged? The draft status can mean WIP (and that the PR is intended to be merged Also, this comment is rather ambiguous: So what changes exactly (if any) are intended for 0.9.72? |
Not sure. Will need more time to track things down in our git history.
Based on the string of issues we've been getting on problems with opening hyperlinks (with Firefox), I'm at a point that I'm not sure about what's what and when I re-read some of those I get conflicting impressions. That's a big part of what motivates me to try to find a reasonably secure way of ending this mess.
I'll try to answer your questions about the status of this PR. We might have different working definitions here. For me it's not as clear-cut as either WIP or POC. I didn't ponder on this fine distinction when I opened this to be honest. But I guess one can look at it as an ongoing attempt at a smallish POC :-)
I understand, no worries. Looking forward to reading your take on the topic. Have a nice weekend! |
To clarify, I asked because if it was indeed broken after 0.9.70, then it's a Even with something like fireurl, I'm not sure how easy it would be to convince If it's hard to find out when it broke and why, and if it's deemed important
It's indeed confusing and I also remember reading conflicting accounts on this.
Yeah, the terms are not necessarily clear-cut / an "either or"; what I meant
Note: Some of these examples might make more sense in bigger projects (such as
Just to clarify, I don't understand the connection between "The draft status of So I assumed that you meant that "draft status" == "not intended to be merged
Thanks; you too! |
Here it is: |
When will this be added to master branch? Would love to be able to open links in Slack with Brave. |
[WIP] [POC] This PR is part of an attempt to integrate @rusty-snake's fireurl into Firejail and finally fix opening hyperlinks between sandboxes properly and elegantly.
IMO this offers a much needed (and much overdue) improvement to Firejail's (default) handling of inter-sandbox URL transport.
This PR takes care of cleaning up the 'level 1 hacks' from the affected profiles. Obviously there's more work to be done to bring in
fireurl
, but all in all surprisingly little.Relates to: