From unknown Fri Jun 13 10:50:09 2025 X-Loop: help-debbugs@gnu.org Subject: bug#38831: IceCat: some codecs don't work without workaround Resent-From: Jakub =?UTF-8?Q?K=C4=85dzio=C5=82ka?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 31 Dec 2019 14:25:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 38831 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 38831@debbugs.gnu.org Cc: mhw@netris.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.157780225625724 (code B ref -1); Tue, 31 Dec 2019 14:25:02 +0000 Received: (at submit) by debbugs.gnu.org; 31 Dec 2019 14:24:16 +0000 Received: from localhost ([127.0.0.1]:33901 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1imIRT-0006gq-Nz for submit@debbugs.gnu.org; Tue, 31 Dec 2019 09:24:15 -0500 Received: from lists.gnu.org ([209.51.188.17]:37681) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1imIRS-0006gj-D6 for submit@debbugs.gnu.org; Tue, 31 Dec 2019 09:24:14 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:35474) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1imIRR-0002hB-23 for bug-guix@gnu.org; Tue, 31 Dec 2019 09:24:14 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_NONE, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1imIRP-0004wG-NZ for bug-guix@gnu.org; Tue, 31 Dec 2019 09:24:12 -0500 Received: from pat.zlotemysli.pl ([37.59.186.212]:60988) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1imIRP-0004JW-BM for bug-guix@gnu.org; Tue, 31 Dec 2019 09:24:11 -0500 Received: (qmail 6995 invoked by uid 1009); 31 Dec 2019 15:24:03 +0100 Received: from 188.123.215.55 (kuba@kadziolka.net@188.123.215.55) by pat (envelope-from , uid 1002) with qmail-scanner-2.08st (clamdscan: 0.98.6/25679. spamassassin: 3.4.0. perlscan: 2.08st. Clear:RC:1(188.123.215.55):. Processed in 0.02759 secs); 31 Dec 2019 14:24:03 -0000 Received: from unknown (HELO zdrowyportier.kadziolka.net) (kuba@kadziolka.net@188.123.215.55) by pat.zlotemysli.pl with SMTP; 31 Dec 2019 15:24:02 +0100 Date: Tue, 31 Dec 2019 15:24:01 +0100 From: Jakub =?UTF-8?Q?K=C4=85dzio=C5=82ka?= Message-ID: <20191231142401.qt2oxe6jkefsxxnd@zdrowyportier.kadziolka.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 37.59.186.212 X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello, I had some problems with video codecs in IceCat 68.3.0-guix0-preview1. For example, consider this page: http://demo.nimius.net/video_test/. By default, the videos under the headings H.264 / AAC and MPEG4 don't work ("No video with supported format and MIME type found."). The following steps make the first of these videos work: 1. Open about:config 2. Click "I accept the risk!" 3. Set security.sandbox.content.read_path_whitelist to /gnu/store/ (the trailing / is important). The instructions were originally sketched out in this help-guix message: https://lists.gnu.org/archive/html/help-guix/2019-12/msg00150.html I believe it would be beneficial to make this a default. On IRC, bandali suggested that it would be better to only whitelist the necessary store subdirectories. I don't know how to gather such a list, but it it seems like a good idea. I don't know how about:config entries modified by the user behave when IceCat is updated, but in some of the behaviors I can imagine, the config entry stops updating, in which case it would be better to add the paths to some internal whitelist (I reckon such a whitelist already exists and contains something like /usr/lib). Regards, Jakub Kądziołka CC: mhw as suggested by nckx From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 15 08:18:15 2020 Received: (at control) by debbugs.gnu.org; 15 Jan 2020 13:18:15 +0000 Received: from localhost ([127.0.0.1]:34385 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iriYo-00005L-T3 for submit@debbugs.gnu.org; Wed, 15 Jan 2020 08:18:15 -0500 Received: from pat.zlotemysli.pl ([37.59.186.212]:42684) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iriYn-00005A-U5 for control@debbugs.gnu.org; Wed, 15 Jan 2020 08:18:14 -0500 Received: (qmail 7737 invoked by uid 1009); 15 Jan 2020 14:18:11 +0100 Received: from 188.123.215.55 (kuba@kadziolka.net@188.123.215.55) by pat (envelope-from , uid 1002) with qmail-scanner-2.08st (clamdscan: 0.98.6/25695. spamassassin: 3.4.0. perlscan: 2.08st. Clear:RC:1(188.123.215.55):. Processed in 0.008748 secs); 15 Jan 2020 13:18:11 -0000 Received: from unknown (HELO zdrowyportier.kadziolka.net) (kuba@kadziolka.net@188.123.215.55) by pat.zlotemysli.pl with SMTP; 15 Jan 2020 14:18:11 +0100 Date: Wed, 15 Jan 2020 14:18:09 +0100 From: Jakub =?utf-8?B?S8SFZHppb8WCa2E=?= To: control@debbugs.gnu.org Subject: Merge bugs about IceCat sandboxing Message-ID: <20200115131809.aoxbh5siqblbf4rh@zdrowyportier.kadziolka.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) merge 38831 39127 tags 38831 + patch From unknown Fri Jun 13 10:50:09 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Jakub =?UTF-8?Q?K=C4=85dzio=C5=82ka?= Subject: bug#38831: closed (Re: IceCat: some codecs don't work without workaround) Message-ID: References: <87pnfj7waa.fsf@netris.org> <20191231142401.qt2oxe6jkefsxxnd@zdrowyportier.kadziolka.net> X-Gnu-PR-Message: they-closed 38831 X-Gnu-PR-Package: guix X-Gnu-PR-Keywords: patch Reply-To: 38831@debbugs.gnu.org Date: Thu, 16 Jan 2020 06:27:03 +0000 Content-Type: multipart/mixed; boundary="----------=_1579156023-4620-1" This is a multi-part message in MIME format... ------------=_1579156023-4620-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #38831: IceCat: some codecs don't work without workaround which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 38831@debbugs.gnu.org. --=20 38831: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D38831 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1579156023-4620-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 38831-done) by debbugs.gnu.org; 16 Jan 2020 06:26:32 +0000 Received: from localhost ([127.0.0.1]:36620 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1irybu-0001BM-Ii for submit@debbugs.gnu.org; Thu, 16 Jan 2020 01:26:32 -0500 Received: from world.peace.net ([64.112.178.59]:53684) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1irybp-0001B6-E5; Thu, 16 Jan 2020 01:26:28 -0500 Received: from mhw by world.peace.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1irybo-0007EO-7M; Thu, 16 Jan 2020 01:26:24 -0500 From: Mark H Weaver To: Jakub =?utf-8?B?S8SFZHppb8WCa2E=?= Subject: Re: IceCat: some codecs don't work without workaround Date: Thu, 16 Jan 2020 01:24:50 -0500 Message-ID: <87pnfj7waa.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 38831-done Cc: 38831-done@debbugs.gnu.org, 38045-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Jakub, Jakub K=C4=85dzio=C5=82ka wrote: > I had some problems with video codecs in IceCat 68.3.0-guix0-preview1. > For example, consider this page: http://demo.nimius.net/video_test/. By > default, the videos under the headings H.264 / AAC and MPEG4 don't work > ("No video with supported format and MIME type found."). >=20 > The following steps make the first of these videos work: > 1. Open about:config > 2. Click "I accept the risk!" > 3. Set security.sandbox.content.read_path_whitelist to /gnu/store/ > (the trailing / is important). >=20 > The instructions were originally sketched out in this help-guix > message: > https://lists.gnu.org/archive/html/help-guix/2019-12/msg00150.html >=20 > I believe it would be beneficial to make this a default. >=20 > On IRC, bandali suggested that it would be better to only whitelist the > necessary store subdirectories. I don't know how to gather such a list, > but it it seems like a good idea. Thank you for bringing this to my attention. I agree with Amin Bandali that a more precise whitelist is preferable. Moreover, I was not comfortable whitelisting all of /gnu/store. I'm glad to report that it appears to be sufficient to whitelist the RUNPATH of libavcodec.so, plus the /share/mime/ directory from shared-mime-info. I've implemented this in commit 429c8284d232c3f9fbe3dc87a3da323f3a864c03 and pushed it to 'master'. > I don't know how about:config entries modified by the user behave when > IceCat is updated, but in some of the behaviors I can imagine, the > config entry stops updating, As currently implemented, we now arrange to set the *default* value of 'security.sandbox.content.read_path_whitelist' to an appropriate whitelist. Users who have customized 'security.sandbox.content.read_path_whitelist' to work around this issue should now erase that customization, by right-clicking on its entry in , and clicking on "Reset". It might also be necessary to restart IceCat after doing so. > in which case it would be better to add the paths to some internal > whitelist (I reckon such a whitelist already exists and contains > something like /usr/lib). I agree that it would be preferable, but I wasn't sufficiently motivated to implement it. Feel free to propose a patch. I'm not sure it would make much of a difference in practice though, because the net result for anyone who has customized it to /gnu/store/ will be the same: until they reset their customization, their effective whitelist will be all of /gnu/store/*. What do you think? Anyway, thanks to everyone who contributed to this fix! I'm closing both the older bug (38045) and the more recent duplicate (38831), but feel free to reopen if appropriate. Mark ------------=_1579156023-4620-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 31 Dec 2019 14:24:16 +0000 Received: from localhost ([127.0.0.1]:33901 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1imIRT-0006gq-Nz for submit@debbugs.gnu.org; Tue, 31 Dec 2019 09:24:15 -0500 Received: from lists.gnu.org ([209.51.188.17]:37681) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1imIRS-0006gj-D6 for submit@debbugs.gnu.org; Tue, 31 Dec 2019 09:24:14 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:35474) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1imIRR-0002hB-23 for bug-guix@gnu.org; Tue, 31 Dec 2019 09:24:14 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_NONE, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1imIRP-0004wG-NZ for bug-guix@gnu.org; Tue, 31 Dec 2019 09:24:12 -0500 Received: from pat.zlotemysli.pl ([37.59.186.212]:60988) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1imIRP-0004JW-BM for bug-guix@gnu.org; Tue, 31 Dec 2019 09:24:11 -0500 Received: (qmail 6995 invoked by uid 1009); 31 Dec 2019 15:24:03 +0100 Received: from 188.123.215.55 (kuba@kadziolka.net@188.123.215.55) by pat (envelope-from , uid 1002) with qmail-scanner-2.08st (clamdscan: 0.98.6/25679. spamassassin: 3.4.0. perlscan: 2.08st. Clear:RC:1(188.123.215.55):. Processed in 0.02759 secs); 31 Dec 2019 14:24:03 -0000 Received: from unknown (HELO zdrowyportier.kadziolka.net) (kuba@kadziolka.net@188.123.215.55) by pat.zlotemysli.pl with SMTP; 31 Dec 2019 15:24:02 +0100 Date: Tue, 31 Dec 2019 15:24:01 +0100 From: Jakub =?utf-8?B?S8SFZHppb8WCa2E=?= To: bug-guix@gnu.org Subject: IceCat: some codecs don't work without workaround Message-ID: <20191231142401.qt2oxe6jkefsxxnd@zdrowyportier.kadziolka.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 37.59.186.212 X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit Cc: mhw@netris.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello, I had some problems with video codecs in IceCat 68.3.0-guix0-preview1. For example, consider this page: http://demo.nimius.net/video_test/. By default, the videos under the headings H.264 / AAC and MPEG4 don't work ("No video with supported format and MIME type found."). The following steps make the first of these videos work: 1. Open about:config 2. Click "I accept the risk!" 3. Set security.sandbox.content.read_path_whitelist to /gnu/store/ (the trailing / is important). The instructions were originally sketched out in this help-guix message: https://lists.gnu.org/archive/html/help-guix/2019-12/msg00150.html I believe it would be beneficial to make this a default. On IRC, bandali suggested that it would be better to only whitelist the necessary store subdirectories. I don't know how to gather such a list, but it it seems like a good idea. I don't know how about:config entries modified by the user behave when IceCat is updated, but in some of the behaviors I can imagine, the config entry stops updating, in which case it would be better to add the paths to some internal whitelist (I reckon such a whitelist already exists and contains something like /usr/lib). Regards, Jakub Kądziołka CC: mhw as suggested by nckx ------------=_1579156023-4620-1-- From unknown Fri Jun 13 10:50:09 2025 X-Loop: help-debbugs@gnu.org Subject: bug#38831: IceCat: some codecs don't work without workaround Resent-From: Julien Lepiller Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 16 Jan 2020 12:30:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 38831 X-GNU-PR-Package: guix X-GNU-PR-Keywords: patch To: 38831@debbugs.gnu.org, mhw@netris.org, kuba@kadziolka.net X-Debbugs-Original-To: bug-guix@gnu.org, Mark H Weaver , Jakub =?UTF-8?Q?K=C4=85dzio=C5=82ka?= Received: via spool by submit@debbugs.gnu.org id=B.157917777814703 (code B ref -1); Thu, 16 Jan 2020 12:30:01 +0000 Received: (at submit) by debbugs.gnu.org; 16 Jan 2020 12:29:38 +0000 Received: from localhost ([127.0.0.1]:36845 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1is4HG-0003p1-6I for submit@debbugs.gnu.org; Thu, 16 Jan 2020 07:29:38 -0500 Received: from lists.gnu.org ([209.51.188.17]:39854) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1is4HB-0003or-SG for submit@debbugs.gnu.org; Thu, 16 Jan 2020 07:29:32 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:34478) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1is4H9-0001BD-MN for bug-guix@gnu.org; Thu, 16 Jan 2020 07:29:29 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1is4H8-0003zu-BH for bug-guix@gnu.org; Thu, 16 Jan 2020 07:29:27 -0500 Received: from lepiller.eu ([2a00:5884:8208::1]:47178) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1is4H7-0003xW-MU for bug-guix@gnu.org; Thu, 16 Jan 2020 07:29:26 -0500 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id 5be809b4; Thu, 16 Jan 2020 12:29:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=lepiller.eu; h=date :in-reply-to:references:mime-version:content-type :content-transfer-encoding:subject:to:from:message-id; s=dkim; bh=F0AFxrOryZ80uKWLvdtD8zmAtG8=; b=idI6MmbgF31qwq9UxiYtq7cH/dkc mFVQcf4aIFiLMmxElrNBpNc9wi8LDkz9yT9Ns1Gjswh8X0H1q01WrJkUFeU+FcA+ qOE+F0ymAmvA+SI8i0ZXp4oFB/96TvwF1Z3X+1ex/TOYAvASBLr3qNHl0R80IXN7 irUjsCmLcKHgAvWuJ6JmDFUhWFjU6c4SGkKa/TFWxtGRP9NzjOF3bmSS629lc5nm GonwYL7Gcbpyc/d7lSjRGckniFzLWvlpZcvQAkjTx/37FVIUp9ZYJGgKP5owmqI5 GacMVNetV/bJuZKAbWHjz6YLmyzHKdL13YkDBipm7U9Na6T428aqzGxbeA== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 7b43333f (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Thu, 16 Jan 2020 12:29:20 +0000 (UTC) Date: Thu, 16 Jan 2020 07:29:01 -0500 User-Agent: K-9 Mail for Android In-Reply-To: <87pnfj7waa.fsf@netris.org> References: <20191231142401.qt2oxe6jkefsxxnd@zdrowyportier.kadziolka.net> <87pnfj7waa.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Julien Lepiller Message-ID: <28E76491-53BA-47BA-B00E-669D1DC93B61@lepiller.eu> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:5884:8208::1 X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Le 16 janvier 2020 01:24:50 GMT-05:00, Mark H Weaver a = =C3=A9crit : >Hi Jakub, > >Jakub K=C4=85dzio=C5=82ka wrote: >> I had some problems with video codecs in IceCat >68=2E3=2E0-guix0-preview1=2E >> For example, consider this page: http://demo=2Enimius=2Enet/video_test/= =2E >By >> default, the videos under the headings H=2E264 / AAC and MPEG4 don't >work >> ("No video with supported format and MIME type found=2E")=2E >>=20 >> The following steps make the first of these videos work: >> 1=2E Open about:config >> 2=2E Click "I accept the risk!" >> 3=2E Set security=2Esandbox=2Econtent=2Eread_path_whitelist to /gnu/sto= re/ >> (the trailing / is important)=2E >>=20 >> The instructions were originally sketched out in this help-guix >> message: >> https://lists=2Egnu=2Eorg/archive/html/help-guix/2019-12/msg00150=2Ehtm= l >>=20 >> I believe it would be beneficial to make this a default=2E >>=20 >> On IRC, bandali suggested that it would be better to only whitelist >the >> necessary store subdirectories=2E I don't know how to gather such a >list, >> but it it seems like a good idea=2E > >Thank you for bringing this to my attention=2E I agree with Amin Bandali >that a more precise whitelist is preferable=2E Moreover, I was not >comfortable whitelisting all of /gnu/store=2E > >I'm glad to report that it appears to be sufficient to whitelist the >RUNPATH of libavcodec=2Eso, plus the /share/mime/ directory from >shared-mime-info=2E I've implemented this in commit >429c8284d232c3f9fbe3dc87a3da323f3a864c03 and pushed it to 'master'=2E > >> I don't know how about:config entries modified by the user behave >when >> IceCat is updated, but in some of the behaviors I can imagine, the >> config entry stops updating, > >As currently implemented, we now arrange to set the *default* value of >'security=2Esandbox=2Econtent=2Eread_path_whitelist' to an appropriate >whitelist=2E > >Users who have customized >'security=2Esandbox=2Econtent=2Eread_path_whitelist' >to work around this issue should now erase that customization, by >right-clicking on its entry in , and clicking on "Reset"=2E >It might also be necessary to restart IceCat after doing so=2E > >> in which case it would be better to add the paths to some internal >> whitelist (I reckon such a whitelist already exists and contains >> something like /usr/lib)=2E > >I agree that it would be preferable, but I wasn't sufficiently >motivated >to implement it=2E Feel free to propose a patch=2E I'm not sure it woul= d >make much of a difference in practice though, because the net result >for >anyone who has customized it to /gnu/store/ will be the same: until >they >reset their customization, their effective whitelist will be all of >/gnu/store/*=2E > >What do you think? > >Anyway, thanks to everyone who contributed to this fix! I'm closing >both the older bug (38045) and the more recent duplicate (38831), but >feel free to reopen if appropriate=2E > > Mark Hi, Thanks for the fix! We'll need something similar for webgl (mesa and depen= dencies at least), unless your patch already fixes it? I haven't checked=2E