bug#51478: icecat 91 can't display chinese font in many web page

bug#51478: icecat 91 can't display chinese font in many web page

[Z572 via Bug reports for GNU Guix]

[-- Attachment #1: Type: text/plain, Size: 87 bytes --]


hello,

after update to 91, icecat can't display chinese font for many web page:

78:

[-- Attachment #2: Screenshot from 2021-10-29 17-54-33.png --]
[-- Type: image/png, Size: 541899 bytes --]

[-- Attachment #3: Type: text/plain, Size: 5 bytes --]


91:

[-- Attachment #4: Screenshot from 2021-10-29 17-43-00.png --]
[-- Type: image/png, Size: 375638 bytes --]

[-- Attachment #5: Type: text/plain, Size: 153 bytes --]


  guix ad39268
    repository URL: https://git.sjtu.edu.cn/sjtug/guix
    branch: master
    commit: ad39268cdf075f4c4eeb87ed78ce46ca6f817675

-- 
over

bug#51478: icecat 91 can't display chinese font in many web page

[Dr. Arne Babenhauserheide]

[-- Attachment #1: Type: text/plain, Size: 344 bytes --]

Hi,

Z572 via Bug reports for GNU Guix <bug-guix@gnu.org> writes:

> after update to 91, icecat can't display chinese font for many web page:

Thank you for your report!

Does it help to run

    fc-cache -rv

on the commandline?

Best wishes,
Arne
-- 
Unpolitisch sein
heißt politisch sein,
ohne es zu merken.
draketo.de

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1125 bytes --]

bug#51478: icecat 91 can't display chinese font in many web page

[Mark H Weaver]

Z572 via Bug reports for GNU Guix <bug-guix@gnu.org> writes:
> after update to 91, icecat can't display chinese font for many web page:

Thanks for the report.

As a temporary workaround, it might help to visit <about:config> and
change the setting for "security.sandbox.content.read_path_whitelist"
to contain simply "/gnu/store/".

Doing so will make your IceCat do what all other modern web browsers in
Guix do: simply give the browser sandbox access to *all* of /gnu/store/.
The disadvantage of doing so is that the sandbox will then able to see
the complete list of Guix-installed software components installed on
your system, as well as the precise version numbers of those software
components.

To my knowledge, IceCat is the only modern web browser packaged in Guix
that attempts to build a precise whitelist of directories within
/gnu/store/ that the sandbox is given access to.

When updating our Guix package to IceCat 91, I discovered that it is now
necessary to add font directories to the whitelist, whereas that was not
needed in IceCat 78.  For now, I've added 'font-dejavu' as an explicit
input to our 'icecat' package, and added its font/share directory to the
whitelist.  However, I can see now that this solution is not adequate.

To be continued...

       Mark

-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.

bug#51478: icecat 91 can't display chinese font in many web page

[ison]

I'm not entirely sure if this is related, but after upgrading to 91
icecat would no longer use fonts from anywhere but my home directories
(~/.fonts or ~/.local/share/fonts).
And changing the whitelist to /gnu/store doesn't fix it.

What's strange is that the fonts are still listed in the icecat font
settings, but it won't use them. Even if I uncheck the box to allow
pages to choose their own fonts.

For example my LiberationSans font stopped working. But if I copy it (or
symlink it) to my ~/.fonts then it works.
NOTE: I test it by changing security.sandbox.content.read_path_whitelist
in about:config to "/gnu/store", closing icecat, running fc-cache -fv
(both as root and normal user), then opening icecat again. And it still
only uses LiberationSans if it gets copied to my home.

bug#51478: icecat 91 can't display chinese font in many web page

[Mark H Weaver]

ison <ison@airmail.cc> writes:
> NOTE: I test it by changing security.sandbox.content.read_path_whitelist
> in about:config to "/gnu/store"

That won't work.  As I recall, there *must* be a slash at the end of
each directory in the whitelist, as in "/gnu/store/", not just
"/gnu/store".  Does that make a difference for you?

     Thanks,
       Mark

-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.

bug#51478: icecat 91 can't display chinese font in many web page

[ison]

Mark H Weaver <mhw@netris.org> writes:
> ison <ison@airmail.cc> writes:
>> NOTE: I test it by changing security.sandbox.content.read_path_whitelist
>> in about:config to "/gnu/store"
>
> That won't work.  As I recall, there *must* be a slash at the end of
> each directory in the whitelist, as in "/gnu/store/", not just
> "/gnu/store".  Does that make a difference for you?

That fixed it for me. Thanks for the help.

bug#51478: icecat 91 can't display chinese font in many web page

[Z572 via Bug reports for GNU Guix]

I add "/run/current-system/profile/share/fonts/" to
"security.sandbox.content.read_path_whitelist" fixed it for me.

Thanks for the help.


Mark H Weaver <mhw@netris.org> writes:

> Z572 via Bug reports for GNU Guix <bug-guix@gnu.org> writes:
>> after update to 91, icecat can't display chinese font for many web page:
>
> Thanks for the report.
>
> As a temporary workaround, it might help to visit <about:config> and
> change the setting for "security.sandbox.content.read_path_whitelist"
> to contain simply "/gnu/store/".
>
> Doing so will make your IceCat do what all other modern web browsers in
> Guix do: simply give the browser sandbox access to *all* of /gnu/store/.
> The disadvantage of doing so is that the sandbox will then able to see
> the complete list of Guix-installed software components installed on
> your system, as well as the precise version numbers of those software
> components.
>
> To my knowledge, IceCat is the only modern web browser packaged in Guix
> that attempts to build a precise whitelist of directories within
> /gnu/store/ that the sandbox is given access to.
>
> When updating our Guix package to IceCat 91, I discovered that it is now
> necessary to add font directories to the whitelist, whereas that was not
> needed in IceCat 78.  For now, I've added 'font-dejavu' as an explicit
> input to our 'icecat' package, and added its font/share directory to the
> whitelist.  However, I can see now that this solution is not adequate.
>
> To be continued...
>
>        Mark


-- 
over

bug#51478: icecat 91 can't display chinese font in many web page

[Mark H Weaver]

Hi,

Z572 <873216071@qq.com> writes:
> I add "/run/current-system/profile/share/fonts/" to
> "security.sandbox.content.read_path_whitelist" fixed it for me.

Thanks!  One very important note: you should "reset" this customization
after updating to IceCat 91.3.0, or else IceCat will stop working
correctly after some future update of Guix.  The reason is that the
whitelist contains several other directories within /gnu/store/, and
those directory will need to be updated whenever those components are
updated in Guix.  For example, when 'ffmpeg' is updated to a newer
version, or one of its dependent libraries is updated, the directory
name /gnu/store/…-ffmpeg-4.4 will change; if you don't update the
whitelist accordingly, video playback will stop working.

In the IceCat 91.3.0 update that I pushed a few hours ago, I added
"/run/current-system/profile/share/fonts/" to the default whitelist.

So, I suggest that you update to IceCat 91.3.0 at your earliest
opportunity, and then visit <about:config>, navigate to the
"security.sandbox.content.read_path_whitelist" setting, and click on its
"reset" button (the one with an arrow pointing to the left), to erase
the customization of that setting.

Note that it is not enough to simply remove the directory that you
added.  You must click the reset button on that customization in order
to allow it to be automatically updated in the future.

* * *

Going forward, I think that we should create a patch for IceCat
analogous to the webkitgtk-bind-all-fonts.patch that Liliana wrote for
WebKitGTK.  I think that all of the directories that currently comprise
the default value of "security.sandbox.content.read_path_whitelist"
should instead be *implicitly* added to the whitelist, in *addition* to
the contents of "security.sandbox.content.read_path_whitelist".  That
would enable users to customize that setting without having to manually
keep the /gnu/store/…/ entries updated.

I'll keep this bug open for now, pending a more proper fix.

      Thanks,
        Mark

-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.

bug#51478: icecat 91 can't display chinese font in many web page

[Z572 via Bug reports for GNU Guix]

thanks for reminding :) .

Mark H Weaver <mhw@netris.org> writes:

> Hi,
>
> Z572 <873216071@qq.com> writes:
>> I add "/run/current-system/profile/share/fonts/" to
>> "security.sandbox.content.read_path_whitelist" fixed it for me.
>
> Thanks!  One very important note: you should "reset" this customization
> after updating to IceCat 91.3.0, or else IceCat will stop working
> correctly after some future update of Guix.  The reason is that the
> whitelist contains several other directories within /gnu/store/, and
> those directory will need to be updated whenever those components are
> updated in Guix.  For example, when 'ffmpeg' is updated to a newer
> version, or one of its dependent libraries is updated, the directory
> name /gnu/store/…-ffmpeg-4.4 will change; if you don't update the
> whitelist accordingly, video playback will stop working.
>
> In the IceCat 91.3.0 update that I pushed a few hours ago, I added
> "/run/current-system/profile/share/fonts/" to the default whitelist.
>
> So, I suggest that you update to IceCat 91.3.0 at your earliest
> opportunity, and then visit <about:config>, navigate to the
> "security.sandbox.content.read_path_whitelist" setting, and click on its
> "reset" button (the one with an arrow pointing to the left), to erase
> the customization of that setting.
>
> Note that it is not enough to simply remove the directory that you
> added.  You must click the reset button on that customization in order
> to allow it to be automatically updated in the future.
>
> * * *
>
> Going forward, I think that we should create a patch for IceCat
> analogous to the webkitgtk-bind-all-fonts.patch that Liliana wrote for
> WebKitGTK.  I think that all of the directories that currently comprise
> the default value of "security.sandbox.content.read_path_whitelist"
> should instead be *implicitly* added to the whitelist, in *addition* to
> the contents of "security.sandbox.content.read_path_whitelist".  That
> would enable users to customize that setting without having to manually
> keep the /gnu/store/…/ entries updated.
>
> I'll keep this bug open for now, pending a more proper fix.
>
>       Thanks,
>         Mark


-- 
over