Le 16 janvier 2020 01:24:50 GMT-05:00, Mark H Weaver <m...@netris.org> a écrit : >Hi Jakub, > >Jakub Kądziołka <k...@kadziolka.net> wrote: >> I had some problems with video codecs in IceCat >68.3.0-guix0-preview1. >> For example, consider this page: http://demo.nimius.net/video_test/. >By >> default, the videos under the headings H.264 / AAC and MPEG4 don't >work >> ("No video with supported format and MIME type found."). >> >> The following steps make the first of these videos work: >> 1. Open about:config >> 2. Click "I accept the risk!" >> 3. Set security.sandbox.content.read_path_whitelist to /gnu/store/ >> (the trailing / is important). >> >> The instructions were originally sketched out in this help-guix >> message: >> https://lists.gnu.org/archive/html/help-guix/2019-12/msg00150.html >> >> I believe it would be beneficial to make this a default. >> >> On IRC, bandali suggested that it would be better to only whitelist >the >> necessary store subdirectories. I don't know how to gather such a >list, >> but it it seems like a good idea. > >Thank you for bringing this to my attention. I agree with Amin Bandali >that a more precise whitelist is preferable. Moreover, I was not >comfortable whitelisting all of /gnu/store. > >I'm glad to report that it appears to be sufficient to whitelist the >RUNPATH of libavcodec.so, plus the /share/mime/ directory from >shared-mime-info. I've implemented this in commit >429c8284d232c3f9fbe3dc87a3da323f3a864c03 and pushed it to 'master'. > >> I don't know how about:config entries modified by the user behave >when >> IceCat is updated, but in some of the behaviors I can imagine, the >> config entry stops updating, > >As currently implemented, we now arrange to set the *default* value of >'security.sandbox.content.read_path_whitelist' to an appropriate >whitelist. > >Users who have customized >'security.sandbox.content.read_path_whitelist' >to work around this issue should now erase that customization, by >right-clicking on its entry in <about:config>, and clicking on "Reset". >It might also be necessary to restart IceCat after doing so. > >> in which case it would be better to add the paths to some internal >> whitelist (I reckon such a whitelist already exists and contains >> something like /usr/lib). > >I agree that it would be preferable, but I wasn't sufficiently >motivated >to implement it. Feel free to propose a patch. I'm not sure it would >make much of a difference in practice though, because the net result >for >anyone who has customized it to /gnu/store/ will be the same: until >they >reset their customization, their effective whitelist will be all of >/gnu/store/*. > >What do you think? > >Anyway, thanks to everyone who contributed to this fix! I'm closing >both the older bug (38045) and the more recent duplicate (38831), but >feel free to reopen if appropriate. > > Mark
Hi, Thanks for the fix! We'll need something similar for webgl (mesa and dependencies at least), unless your patch already fixes it? I haven't checked.