WEBKIT_FORCE_SANDBOX no longer allows disabling the sandbox. Use WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1 instead #2892
Comments
|
@aartaka We still haven't fixed this sandboxing issue #1781. I'd argue that it's 3.0 critical. Tag? Is it realistic to fix it? If not, then we should drop WebExtension support in the official build of Nyxt to not force users to disable sandboxing. EDIT: See also #2177; WebExtension support is currently broken. |
Yeah :(
It is realistic to fix it, if we move extensions directory to But yes, I'd drop WebExtensions support library anyway, because it's painful to do it in C, and we can replace all of it with a properly linkable Lisp library. |
That wouldn't work on Nix / Guix, right?
Wanna send a PR to remove the build by default and re-enable sandboxing? We need a knob so disable sandboxing when the experimental WebExtension support is built into the binary. |
Hmmmmmmmmmm, yes. I guess we'll have to implement GApplication after all. I'm still clueless about how to do it in a way that doesn't restrict us in a major way.
Yes, will do!
That's hard, because WebKit manages things independently and gives us no control of extensions. But yes, we can check the directory for any .so file and disable sandboxing then. Note that if we implement GApplication, we will not need to disable sandboxing. |
|
I just tested a build of Pre-Release 6 on Guix System today, so I could start building my configuration before the release of Nyxt 3. I am still having this same problem. I am attaching the relevant Guix channel information and the package definition I made to get Nyxt 3-rc6 building. (list (channel
(name 'guix)
(url "https://git.savannah.gnu.org/git/guix.git")
(branch "master")
(commit
"61d15695752997427ed9c3491470dd76b11bd00a")
(introduction
(make-channel-introduction
"9edb3f66fd807b096b48283debdcddccfea34bad"
(openpgp-fingerprint
"BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA")))))(use-modules (guix packages)
(guix git-download)
(gnu packages web-browsers)
(gnu packages lisp-xyz))
(define-public nyxt-next
(package
(inherit nyxt)
(version "3-pre-release-6")
(source
(origin
(method git-fetch)
(uri (git-reference
(url "https://github.com/atlas-engineer/nyxt")
(commit version)))
(sha256
(base32
"174j7qvjkmvq0iikskgrn5bh1nkhxqjnmp948wp9abbcmpn87rrf"))
(file-name (git-file-name "nyxt" version))))
(inputs
(append `(("cl-gopher" ,sbcl-cl-gopher)
("cl-tld" ,sbcl-cl-tld)
("dissect" ,sbcl-dissect)
("history-tree" ,sbcl-history-tree)
("lass" ,sbcl-lass)
("montezuma" ,sbcl-montezuma)
("nclasses" ,sbcl-nclasses)
("ndebug" ,sbcl-ndebug)
("nfiles" ,sbcl-nfiles)
("njson" ,sbcl-njson)
("nhooks" ,sbcl-nhooks)
("nkeymaps" ,sbcl-nkeymaps)
("nsymbols" ,sbcl-nsymbols)
("ospm" ,sbcl-ospm)
("py-configparser" ,sbcl-py-configparser)
("phos" ,sbcl-phos)
("slynk" ,sbcl-slynk))
(package-inputs nyxt)))))
nyxt-nextAfter building, I still need to do |
|
I think we need to convince Guix to upgrade webkitgtk to 2.40.1. |
|
I prepared a patch for Guix updating webkitgtk from 2.40.0 to 2.40.1, which you can see/track here: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=62987 Though YouTube continues to not work with this package definition (which is probably because of missing GStreamer plugins). |
|
@KarlJoad Great, thank you! The GitHub issue is present in webkitgtk version 2.38.5. |
|
For those who have this issue: bump webkitgtk version to 2.40.1, so that disabling sandbox is not required. Thanks again @KarlJoad. |
Starting nyxt git compiled for openSUSE Tumbleweed with WebKitGTK 2.40.0 results in a crash
Starting it with
WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1fixes it:So i suppose code should be updated to use
WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUSfor newer WebKitGTK versions.The text was updated successfully, but these errors were encountered: