-
-
Notifications
You must be signed in to change notification settings - Fork 406
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle XDG paths and WebKit sandboxing the right way. #1781
Comments
I suggest we add an "extension loading" test, e.g. with a dummy "hello world" extension. This is prone to break again in the future and I'm guessing from your work that extension support will soon be critical. |
Yes, that seems to be the way to go. cl-webkit has a skeleton extension to start from. |
A good blog post on the topic: https://blogs.gnome.org/mcatanzaro/2020/03/31/sandboxing-webkitgtk-apps/ |
K, creating |
Do you have some code snippet to share? |
This is how I've rewritten (defmethod ffi-initialize ((browser gtk-browser) urls startup-timestamp)
"gtk:within-main-loop handles all the GTK initialization. On
GNU/Linux, Nyxt could hang after 10 minutes if it's not
used. Conversely, on Darwin, if gtk:within-main-loop is used, no
drawing happens. Drawing operations on Darwin MUST originate from
the main thread, which the GTK main loop is not guaranteed to be
on."
(log:debug "Initializing GTK Interface")
;; (setf (uiop:getenv "WEBKIT_FORCE_SANDBOX") "0")
;; 40 = 32 + 8
;; 32 is the flag for G_APPLICATION_NON_UNIQUE, allowing several instances to
;; run simultaneously.
;; 8 is the flag for G_APPLICATION_HANDLES_COMMAND_LINE.
(let ((app (gio:g-application-new "engineer.Atlas.Nyxt" 40)))
(gio:g-application-register app (cffi:null-pointer))
;; the rest of the function body, unchanged
(gio:g-application-run app 0 (cffi:null-pointer)))) This was not sufficient. Even though there were no more warnings on the command line, the extensions didn't load. I digged into the I thought that They somewhy advice to not enable sandboxing in wyebadblock (an adblock extension for WebKit browsers) README. Maybe that's exactly because it complicates extension loading by a magnintude 🤔 |
Adding to the wyebadblock info: most WebKit browsers use Maybe GTK actually has a way to claim rights for |
How would that work on non-FHS distributions like Nix and Guix?
|
No idea 0_o |
On nixos, we still have to disable sandbox I am not familiar with webkit, but generally disabling sandbox for a browser is not a good idea. Is there any workarounds like disabling extensions? |
That's fascinating. Nyxt works just fine on my NixOS installation. Then again, I compiled from source and am using a nix-shell. Perhaps there is something else awry here. Maybe it /will/ be fixed by this issue. |
For the record, I'm on NixOS (recent unstable version) as well, and I sadly cannot use |
I'm having the same issue as the other commenters on NixOS. |
Ah, I forgot updating here. I've chosen to build from source as well and as John said above this works just fine. So this really seems to be an issue of the nixified build/install in |
I think to resolve this reliably, we'll have to use the feature macro. |
Note that for the systems that resolve extension directory to somewhere inside homedir, this snippet forces extension search outside it: (defmethod files:resolve ((profile nyxt-profile) (file nyxt/renderer/gtk::gtk-extensions-directory))
"The path to look for extensions at.
If it's beyond /home/username/, then you don't have to disable
sandboxing."
#p"/usr/lib/nyxt/") |
This snippet goes into I tried it and get:
The Nyxt window reopens twice and that's it. Or it won't help on WebKitGTK 2.40.0 as said here? |
Won't help. This issue deals with a different topic. |
Sandboxing is enabled by default in WebKitGTK and disabling it is dangerous. See WebKit/WebKit#8591. The experimental support for WebExtension has been dropped. Nyxt enables sandboxing and the claim can be checked via |
In #1505, we moved the path for WebKit extensions from
.config/nyxt/extensions/
to.local/share/nyxt/extensions/
. After this, a warning emerged on Nyxt launch (text copied from #1505 (comment)):After a brief Internet search, I've followed the approach of setting WEBKIT_FORCE_SANDBOX to 0 in 48ac0d8. While not exactly a fine move, it made extensions to work again.
I have two concerns there:
But did extension loading work in the first place? It seemed to work on simple examples and
.config/nyxt/extensions/
directory, but it was a long time ago.The text was updated successfully, but these errors were encountered: