Cannot open hyperlink with Firefox using Libreoffice Calc

[rieje]

I have both Firejail and Libreoffice sandboxed. When clicking on a hyperlink in Libreoffice Calc, it will fail to run a Firefox instance--a prompt saying the Firefox profile cannot be loaded because it may be missing or inaccessible results. If I run Libreoffice without it being sandboxed (i.e. /usr/bin/localc), clicking a hyperlink will launch Firefox as expected.

What's the best way to go about this? And would it be possible to use a temporary (i.e. private sandboxed instance of Firefox)?

[SkewedZeppelin]

See #2047

[rieje]

According to Firefox itself, Firefox is already the default browser. I use a sanboxed Emacs with the default settings and it seems to be able to open links with Firefox without a problem. What do I need to whitelist or change for Libreoffice for it to open links with Firefox?

[glitsj16]

@rieje If you closely examine both libreoffice.profile and firefox.profile in /etc/firejail it is pretty obvious that making changes to libreoffice.profile to support firefox would be difficult, if not impossible in a secure way. That's why it is recommended to copy-paste links in several of the referenced comments from #2047. That will always be the safest bet, allbeit not very user-friendly.

I have zero experience with libreoffice personally, so I cannot judge if copy-pasting hyperlinks in that context is even possible. But there is another way to achieve what you want by using two shell scripts, relying on xdg-open and inotifywait (from the inotify-tools package). The basic idea here is to firstly pass hyperlink data indirectly by temporarily storing those in the filesystem in a pre-determined location (which would need read-write access in the originating profile, libreoffice in this case). That can be taken care of by a xdg-open wrapper script. Once you have the hyperlink data stored this way, it is rather easy to write a second script that uses inotifywait to pick up the URL automatically and relaying it to a fully firejailed web browser of choice.

Theoretically you could instruct this second script to use what you refered to as a private firefox profile if so desired, but that's entirely up to you. As long as you ensure the hyperlink is opened in a fully sandboxed web browser, I do believe this to be reasonably secure. But that's only my personal opinion. Here are basic examples of the scripts involved:

• firejail-hyperlinker: https://ptpb.pw/ePZF
• firejail-hyperlinker.desktop: https://ptpb.pw/oJa7.desktop
• firejail-xdg-open: https://ptpb.pw/VSoT

Before using the above scripts, I would like to ask you for more patience. Take your time to go over these scripts and feel free to ask more questions on anything unclear/unexplained. At this point it would be wise to wait for input from more experienced firejail collaborators regarding security implications of what I propose here.

Regards.

UPDATE:
I lost the original pastebin files due to the demise of ptpb.pw. Newly designed files for achieving the same (and more) can be found here and here. AUR users can try firejail-handler-http and/or firejail-handler-extra.

[chiraag-nataraj]

@rieje As @glitsj16 said, the easiest way is just to copy-paste the link (this is what I personally do). This also works around a stupid bug in firefox where if you have multiple profiles open, it will only open links in the oldest running profile (the one you opened first) even if you specify a different profile. This can be bad, for example, when you have different profiles running concurrently with very different privacy settings (as I do).

Intuitively, the solution proposed above looks okay. I personally think it's less than ideal because of the bug above, but that's probably just my personal use case.

Either way, I would strongly not recommend modifying libreoffice's profile to allow running firefox within.

[SkewedZeppelin]

@chiraag-nataraj off-topic

different profiles running concurrently with very different privacy settings

who needs profiles/containers when you have double keying?
privacy.firstparty.isolate true
gotta appreciate the Tor upstreaming.

[chiraag-nataraj]

@SkewedZeppelin

who needs profiles/containers when you have double keying?

Lots of reasons. I have a lot of privacy addons that sometimes break a site and I'm too lazy to figure out how to un-break it (especially if it's a one-off site rather than something I visit all the time), in which case I'll launch an ephemeral profile with pretty strong privacy settings enabled, but none of the addons (that profile gets deleted after I close it, hence "ephemeral").

I also have a specific profile just for chat/messaging sites (WhatsApp, Messenger, Slack, etc) and run each of those sites in its own container. Also, the way I have it set up, when I launch firefox with a profile within firejail, it can only see that profile, providing a bit of redundant security/privacy.

Yeah, I'm probably going overboard 😂

[chiraag-nataraj]

Going to close this as the question seems to have been answered and several different options giving. @rieje, please feel free to re-open if you have more questions.