Firefox family: Open Link in Jailed Browser

ohnonot · 2017-03-17 08:16:08

I am beginning to warm up to the idea that non-sandboxed web browsing is unsafe.

I think I'll continue using palemoon for most tasks, but there are situations that bug me as insecure. when for example someone posts a link to a spyware-ridden news site and I can't see anything until I enable dozens of javascript cross site requests...
so I came up with the idea to open a particular link in a different browser by way of right-click context menu.

You need:

1.
The Open With... Firefox addon (the current version works fine with palemoon, just "Install anyway").
You have to specifically enable the right-click context menu items for "Main context menu (links)".

2.
firejail
(in jessie-backports)

3.
surf
is in the repos.
this can be substituted with something else, but I think it makes sense to use a browser that can handle the modern web, yet has practically no user interface.

I think the idea is clear; the rest are suggestions:

a)
miniscript:

#!/bin/sh
exec firejail --private /usr/bin/surf -u 'Mozilla/5.0 (Linux; Android 5.1.1; Nexus 5 Build/LMY48B; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.65 Mobile Safari/537.36' -d -g -n -S $@

As you can see I took the opportunity to pretend to be a mobile browser.
I'm also telling surf to NOT share my geollocation.
Makes sense to me, but ymmv.
Please make sure to
- use the '--private' option for firejail
- enable javascript for surf with '-S'

b)
in Open With addon preferences, right side, "Chooce which items to display" => Add : point it to the script you just saved.

That's it really.

Last edited by ohnonot (2021-07-02 08:32:38)

Naik · 2017-03-17 13:02:51

great suggestion! Thanks ohnonot!

I was playing with firejail for some days now but found it hard to decide whether to use it or not when initialy starting my ff, but these days of confusion seem to be over.

UPDATE: Been testing a while. Works great! Thanks again!

naik --greetz

Last edited by Naik (2017-03-17 13:17:07)

Head_on_a_Stick · 2017-03-17 20:11:49

Thanks for this ohnonot!

One thing though:

ohnonot wrote:

surf

This uses webkit and so is not suitable for use against untrusted sites, as per the Debian jessie release notes:

https://www.debian.org/releases/jessie/ … r-security

The developers of surf say:

Note On Webkit Versions
Compile your own webkit or expect hell. The packaging of webkit is pure insane.

http://surf.suckless.org/

ohnonot · 2017-03-18 06:54:19

HoaS, doesn't the firejail and the way surf is used here make it safe enough anyway?
are rolling-release distros affected by this webkit insecurity as well?
alternatives for this use case?

Naik · 2017-03-18 09:10:15

^ I thought of that too

but maybe using w3m could be of some help here? I tried it and it works once one got used to its "different" style of serving websites... ;-)
naik --greetz

Head_on_a_Stick · 2017-03-18 13:35:07

ohnonot wrote:

doesn't the firejail and the way surf is used here make it safe enough anyway?

I wouldn't think so, no.

I think it would make more sense to use a supported, secure browser along with firejail.

I also think there may be a danger in putting too much trust in a simple seccomp wrapper — there have been multiple vulnerabilities filed against that package, many of them serious:

https://security-tracker.debian.org/tra … e/firejail

https://security.archlinux.org/

are rolling-release distros affected by this webkit insecurity as well?

Arch does very well indeed, they updated to the latest (stable) webkit version on the very same day that it was released

Debian, not so much... sid is still on an old version:

https://packages.debian.org/sid/libwebkitgtk-3.0-dev

Last updated in September last year

alternatives for this use case?

I have just tried compiling my own webkit but the dependencies are a nightmare, I'm stuck on

EDIT: the module was in libgles2-mesa-dev.

After installing *many* other dependencies (and building gobject-introspection from source), I have finally compiled Webkit from source.

EDIT2: I can't get this to build at all, the Java compiler errors out but at that point all of my 8GiB of RAM & 4GiB of swap are in use (34MiB free!) so maybe my system is just too weedy to compile it successfully.

Last edited by Head_on_a_Stick (2017-03-18 16:01:33)

Steve · 2017-03-18 14:07:34

Thought i would search firefox addons for something similar to this and found Priv8.

https://addons.mozilla.org/en-US/firefo … v8/?src=ss

What do you think? Seems to tick all the boxes of an in browser sandbox utility?

Last edited by Steve (2017-03-18 14:09:08)

Head_on_a_Stick · 2017-03-18 14:12:23

Steve wrote:

What do you think?

Looks like a lesser version of e10s, probably best to use the real thing:

https://wiki.mozilla.org/Electrolysis

ohnonot · 2017-03-18 17:39:09

goddamit, it's never enough is it.
i'll remember to not rely on it too much.

anyhow i heard a rumour it's possible to have a well-supported noscript addon for chrome, so maybe also for chromium, so i might switch to some ungoogled chromium after all.

Naik wrote:

but maybe using w3m could be of some help here?

for me the whole point is to get relatively safe access to javascript- and XSS-ridden sites, so w3m is out.

Steve wrote:

Thought i would search firefox addons for something similar to this and found Priv8.
https://addons.mozilla.org/en-US/firefo … v8/?src=ss

that looks really nice.
like chrom/e/ium.
hope it's not somehow cloud based? or, sending usage statistics to the developers?

Steve · 2017-03-19 02:47:31

Head_on_a_Stick wrote:

Steve wrote:
What do you think?
Looks like a lesser version of e10s, probably best to use the real thing:
https://wiki.mozilla.org/Electrolysis

I will have to investigate that further, cheers.

ohnonot wrote:

Steve wrote:
Thought i would search firefox addons for something similar to this and found Priv8.
https://addons.mozilla.org/en-US/firefo … v8/?src=ss
that looks really nice.
like chrom/e/ium.
hope it's not somehow cloud based? or, sending usage statistics to the developers?

The developer is a test pilot for this addon being made into something better and possibly integrated into the browser, not sure i would totally trust it without looking further into it. Cool idea though.
https://wiki.mozilla.org/Security/Conte … Containers
https://testpilot.firefox.com/experiments/containers

Steve · 2017-03-19 03:01:56

Head_on_a_Stick wrote:

Steve wrote:
What do you think?
Looks like a lesser version of e10s, probably best to use the real thing:
https://wiki.mozilla.org/Electrolysis

Just had a look and i cant use e10's due to (disabled by addons), i could force enable but that is not recommended. I would have to uninstall/disable my addons to be on the safe side.

Firefox Beta
If you're currently using Firefox Beta you might be testing e10s already, check about:support and look for a number higher than 0 in the "Multiprocess Windows" entry. If you would like to opt-in to help us test open about:config and toggle browser.tabs.remote.autostart to true. On your next restart, e10s should be active.
Firefox Release
If you're using Firefox 48 or later, you might be using e10s already. Check about:support and look for a number higher than 0 in the "Multiprocess Windows" entry. If you would like to opt-in, open about:config and toggle browser.tabs.remote.autostart to true. On your next restart, e10s should be active.
Force Enable
If you've tried enabling e10s following the instruction above, but your about:support indicates that e10s is disabled (e.g., accessibility, add-ons can trigger this), you can force e10s on for testing purposes. Within about:config create a new boolean pref named browser.tabs.remote.force-enable and set it to true. This is not encouraged, use it at your own risk!

Head_on_a_Stick · 2017-03-19 11:58:25

Steve wrote:

i could force enable but that is not recommended

Coward!

8o 8o

Steve · 2017-03-19 12:06:39

Ok i will live on the edge for once.....

I back it all up first though

Head_on_a_Stick · 2017-03-19 12:10:08

^ Very wise 8)

I was just joking by the way — if this is a "critical" system then by all means play it "safe" instead

Steve · 2017-03-19 12:13:35

No my system is not in the least critical. My external hdd are though.

#1 2017-03-17 08:16:08

Firefox family: Open Link in Jailed Browser

#2 2017-03-17 13:02:51

Re: Firefox family: Open Link in Jailed Browser

#3 2017-03-17 20:11:49

Re: Firefox family: Open Link in Jailed Browser

Note On Webkit Versions

#4 2017-03-18 06:54:19

Re: Firefox family: Open Link in Jailed Browser

#5 2017-03-18 09:10:15

Re: Firefox family: Open Link in Jailed Browser

#6 2017-03-18 13:35:07

Re: Firefox family: Open Link in Jailed Browser

#7 2017-03-18 14:07:34

Re: Firefox family: Open Link in Jailed Browser

#8 2017-03-18 14:12:23

Re: Firefox family: Open Link in Jailed Browser

#9 2017-03-18 17:39:09

Re: Firefox family: Open Link in Jailed Browser

#10 2017-03-19 02:47:31

Re: Firefox family: Open Link in Jailed Browser

#11 2017-03-19 03:01:56

Re: Firefox family: Open Link in Jailed Browser

#12 2017-03-19 11:58:25

Re: Firefox family: Open Link in Jailed Browser

#13 2017-03-19 12:06:39

Re: Firefox family: Open Link in Jailed Browser

#14 2017-03-19 12:10:08

Re: Firefox family: Open Link in Jailed Browser

#15 2017-03-19 12:13:35

Re: Firefox family: Open Link in Jailed Browser

Board footer