Since I’m kind of steamrolling my way through stuff these days I thought it might help the community if I document some of my findings (eureka moments from wall-head bashing)
I’ll start off today with one basic step:
Purge firefox with sudo dnf -y remove firefox
replace with flatpak flathub install org.mozilla.Firefox
install flatseal with dnf
install gnome extensions flatpak with flatpak flathub install org.gnome.Extensions
now open flatseal, go to firefox and disable X11 & X11 fallback, along with allow all devices in favor of allowing only GPU access (this makes it impossible for internet webcam/mic access)
Open gnome extensions, and now you have auto-updating, sandboxed gnome shell extensions. A sandboxed extensions GUI that can batch-update all your extensions at once without a browser, reducing attack surface
You now have to manually install them to /home/.local/share/gnome-shell/extensions by manually downloading the zip from the traditional extensions site, extract to the directory above, then go in to the metadata file to find the extension UUID name, and rename the extension folder to that UUID.
Probably works for fedora silverblue too
Up next
Lower end devices crashing on Fedora’s gnome live installer and how to work around it (hopefully it gets fixed)
UPDATE 2 (WIP)
Install fedora lxde edition
use terminal to transition from lxde to gnome desktop
The reason as far as I know that Fedora even Silverblue is that some of Firefoxes internal sandboxing can’t work under flatpak, does that leave you overall less secure not sure I haven’t looked into it, but I do wish that would be solved as I think having the ability to limit folders and to webcams and things is nice. I do generally tell people to install the flathub versions just to bypass the h264 issues.
I have never setup extensions in gnome certainly not in flatpaks, I would think that the extension flatpak is just the manager that to actually have them modify GNOME they are still getting installed outside the flatpaks, but not sure.
I think it’s just a sandboxed interface to pull extension updates from their respective gnome extension repository under a set of circumstances (matches gnome version, turns on without error, has a proper UUID that matches gnome extension database) and it’s able to batch update extensions from my testing.
It’s much more secure than giving a browser deep filesystem access with no flatpak sandboxing. (I removed the firefox filesystem package too while I was at it)
Apparently you can get firefox flatpak to work with gnome extensions api by adding custom dbus permissions in flatseal, and I got close but there was a package conflict, the gnome website kept looking for the chromium extension api when it should be looking for the firefox extension api
I am just trying to relay what i recall from reading up on why distros don’t ship the browser as a flatpak not even Fedora Silverblue. But i also want to stress I was quoting others with that and said some, so ya some features it can’t make use of, but it seems at least the Firefox devs think it is a non issue because the only thing broken is setting up their own namespace which the whole thing in a flatpak would be in.
It does look like firefox now suppress the errors so that is probably a pretty good sign they think whatever features
Which at least seemed to indicate some concern of loss idk if that was between processes I don’t know enough about all the details of Firefox sandboxing.
But this bug from 11 months ago suppress the warning now so I think that is the answer from the devs that it is a non issue. I was not aware they had changed it.
meh, I might develop a tampermonkey script that automatically extracts the extension zip to the extensions directory in fedora and renames the folder to the UUID so it appears inside extension manager
I’d like to see development pick up again like it did in the past, drop down terminal for example was abandoned
Ah yeah I remembered wrong; ages ago when I wanted to check if the sandboxing worked I checked about:support but I forgot that namespaces was disabled. So because 4/5 were ‘true’ it affected my memory.
Also, afaik Aeon Desktop is the only distro that ships with a flatpak Firefox by default, it only has the file manager and terminal emulator as native packages.
Edit: I’m of the opinion that everybody should be running their web browsers as flatpaks or confine them with apparmor. I’ve caught a couple legit websites redhanded trying to read the contents of a home folder or read the webcam bypassing any user prompt because of some 0-day exploit they hosted without their knowledge, but was fixed very quickly upon reporting.
I might actually have to try that, I have a Fedora on an anemic haswell tablet that struggles to play 360p video even with h264ify and hw accel enabled in Firefox.
I have a bash script that does that and enables the extension. It might need some modification for standalone use (I was trying it out with Ansible). I’ll take a look when I have a moment and share it here if it’s not too much work. I can at least share the basics of it if you want to write your own.
Ooh good stuff! I’ll take a look. I might add an update trigger if I can find it for the gnome extensions GUI “update” button, which triggers the batch update.
Something like every 2 weeks sounds reasonable to keep up with gnome changes
I haven’t looked into triggering batch updates. The CLI tool might have an option to do that, but I don’t recall. If not, it would be easy enough to add the extension URLs to the script and set up a cron job to run it periodically too. The script installs the newest version of any extension passed to it for your Gnome shell version each time it’s run. Might need to update it to remove the “enabled” check it does.
Have you ever checked out the Extension Manager application on Flathub? It’s an alternative to Gnome’s Extension app and it let’s you browse, install, and manage extensions - Install Extension Manager on Linux | Flathub. It keeps extensions up to date too, although I think the official application Gnome released does that too and in your OP it looks like you already installed that.
You also mentioned Drop Down Terminal earlier, you might check out the ddterm extension. I don’t know if it has all of the same features, but I’ve been using it for a bit and I like it.
Ah ok that’s where the confusion is. Yes I’m trying to enhance the official gnome extensions manager flatpak functionality since it’s a little rough around the edges. Your script will definitely help me though.
