From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:470:142:3::10]:43334)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1irB8h-0007qt-Tc
 for guix-patches@gnu.org; Mon, 13 Jan 2020 20:37:05 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1irB8g-0007d7-GT
 for guix-patches@gnu.org; Mon, 13 Jan 2020 20:37:03 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:54520)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1irB8g-0007cq-38
 for guix-patches@gnu.org; Mon, 13 Jan 2020 20:37:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1irB8g-0004fi-1d
 for guix-patches@gnu.org; Mon, 13 Jan 2020 20:37:02 -0500
Subject: [bug#39127] [PATCH] fixing icecat's multimedia
Resent-Message-ID: <handler.39127.B39127.157896577917871@debbugs.gnu.org>
Date: Tue, 14 Jan 2020 02:36:05 +0100
From: Julien Lepiller <julien@lepiller.eu>
Message-ID: <20200114023605.70d61b0b@tachikoma.lepiller.eu>
In-Reply-To: <87eew2hllb.fsf@nckx>
References: <20200114015819.713f4e4f@tachikoma.lepiller.eu>
 <87eew2hllb.fsf@nckx>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Tobias Geerinckx-Rice <me@tobias.gr>
Cc: 39127@debbugs.gnu.org

Le Tue, 14 Jan 2020 02:29:20 +0100,
Tobias Geerinckx-Rice <me@tobias.gr> a =C3=A9crit :

> Julien,
>=20
> Thanks!  For anything with =E2=80=98security=E2=80=99 *and* =E2=80=98sand=
box=E2=80=99 in the name=20
> we should definitely involve IceCat upstream.
>=20
> Julien Lepiller =E5=86=99=E9=81=93=EF=BC=9A
> > (substitute* "browser/app/profile/icecat.js"
> >   (("\"security.sandbox.content.read_path_whitelist\", \"\"")
> >    (string-append
> >      "\"security.sandbox.content.read_path_whitelist\", \""
> >      (%store-directory) "/\""))) =20
>=20
> When I asked bandali on IRC a few weeks(?) ago about this exact=20
> patch, they didn't sound convinced.  But we were both quite unsure=20
> :-)  Have things changed?  Have you talked to Mark?

I haven't talked to Mark, but here's how you can check:

set security.sandbox.content.read_path_whitelist in about:config to an
empty string (the default) and restart icecat. It cannot play the video
from https://harmonist.tuxfamily.org/. It doesn't work. Set it to
/gnu/store/ (with a trailing /) and restart the browser. Now the video
works. This patch attempts to make the working scenario the default :)

>=20
> > Since icecat has access to /lib and /usr/lib, I think we can=20
> > also give
> > it read access (not write) to /gnu/store. =20
>=20
> That sounds reasonable, if you're certain that it's read-only.
>=20
> > Wdyt? =20
>=20
> LGTM from the Guix side.
>=20
> Kind regards,
>=20
> T G-R