gerthin.blogg.se - Keepassxc firefox

So I chose the Rust proxy application (because why should not I? 🙃).Good for us: it has not many depenencies and is available as a stand-alone application.

Worst things first: We need the keepassxc-proxy as a binary, because we want to have it run inside of the Firefox flatpak.

Tested with: Fedora 32, v75 from flathub, v2.5.4 from flathub Starting keepassxc-proxy by Firefox

Exposing the UNUX socket from the KeePassXC flatpak to other applications outside of the Flatpak.

Note: At that step, you can already run the variation: Firefox (sandboxed), KeePassXC (host-installed)

Allowing Firefox to access the socket of KeePassXC.

Starting keepassxc-proxy by Firefox (solution: we run it inside the Firefox sandbox).

To spoiler, this are the main points we need to solve: However, even if we've solved the fact of Firefox having to run the proxy, there are more problems. So glad news ahead: This solution preserves all sandboxes and security aspects! After all, from a security POV you could then also just install Firefox on the host, yet again. However, seeing how lovely and quite securley the Firefox sandbox is already built, I would not dare to destroy that security for such a feature.

So we could solve that by making wrapper scripts and using flatpak-spawn to let Firefox escape it's sandbox. Anyway, whatever it does, it cannot do one thing: Spawn a process on the host or in another flatpak. it does not have any generic access to the file system (it uses portals). Now why it does not work if Firefox is installed as a flatpak: The very good official Firefox flatpak by Mozilla really does have few permissions for being a browser.That is, so far, why Firefox installed on the host does work….Flathub KeePassXC has a patch that allows the keepassxc-proxy to be started via flatpak run, i.e.The only thing it possibly needs to do is get into the KeePassXC flatpak. If Firefox is not sandboxed, that proxy can start as usual.KeePassXC-Browser) and tries to listen on that socket to find messages. keepassxc-proxy is started – via native messaging – by the browser (triggered by the add-on i.e. KeePassXC creates an UNIX socket in $XDG_RUNTIME_DIR/kpxc_server for applications to listen too.But for the curious, I'll explain the problems we face: If you just want the solution, you can skip this part.