Firefox as a snap package causes problems. Ubuntu developers are now presenting a first solution that Flatpak and other browsers can also benefit from.
Since Ubuntu 22.04 LTS (Jammy), Firefox has only been available as a snap package. Since the browser runs shielded in a Sanbox, extensions fail to communicate with other programs installed on the system, such as the password manager KeepassXC. As a solution, the Ubuntu team is working on a new interface that allows targeted exchange.
Canonical employee Olivier Tilloy has presented a first version of this and is asking users for feedback. With a few commands, you can try out this interface yourself under Ubuntu 22.04 LTS with a beta version of Firefox, even if it’s not yet running smoothly.
Desktop portal expanded
Browser extensions in Firefox and Chrome browsers use the Native Messaging API to communicate with a program on the host system. An application like the KeepassXC password manager uses a JSON file to define how the provided service (Native Messaging Server) is addressed and which extensions are allowed to access it. But the sandbox of Snap or Flatpak clamps off this interface.
To solve the problem, Olivier Tilloy and his colleague James Henstridge have extended the desktop portal (“xdg-desktop-portal”) with the new “WebExtensions” interface. This now allows browsers to request permission for a specific native messaging server. If this is approved, the browser extension can communicate with desired programs on the host system via the Native Messaging API. The approach does not give carte blanche, rather access must be granted separately for each browser extension.
The desktop portal is a collection of interfaces and was originally developed for Flatpak, but can also be used by Snap. The system or the user grants individual applications specific approvals for files, devices or actions such as printing or screenshots via portals. The releases are implemented on the basis of the D-Bus protocol.
The Ubuntu developers submitted the changes to the desktop portal upstream to the Flatpak project, but it has not yet been integrated. The new interface is now included in the “xdg-desktop-portal” package for Ubuntu 22.04. In addition, the Firefox 104 beta available in the Snap Store has been adjusted accordingly.
Tilloy says it has successfully used the new interface with KeepassXC and the Gnome Shell integration to install extensions. We were able to reproduce that too, even if it didn’t work right away. KeepassXC would not pair with the browser extension when we ran it as an AppImage. With the version from the APT package management (Debian package) we could use KeepassXC as usual.
Try the WebExtensions portal for yourself
If you want to test the function on systems with Ubuntu 22.04 yourself, you have to observe a few requirements. First, quit Firefox. Then check whether the “xdg-desktop-portal” package is installed in version “v1.14.4-1ubuntu2~22.04.1”. Because this is the only one that already contains the new WebExtensions interface. Check the version with apt policy xdg-desktop-portal
and if necessary, force the installation with the following command:
sudo apt install xdg-desktop-portal=1.14.4-1ubuntu2~22.04.1
Firefox 104 from the Snap Store beta track is also required, because the browser must also be adapted to the new interface. To do this, change the source in Firefox to “latest/beta” in “Ubuntu Software”. From the command line, use the following command:
sudo snap refresh firefox --beta
Also, restart the desktop portal. It should be enough to end the xdg-desktop-portal process with `kill -9`. For us it was more reliable to restart the service with systemd:
systemctl --user restart xdg-desktop-portal
How to ensure that the portal service loads the new extension. Then start Firefox with the profile manager (/snap/bin/firefox -P
) so as not to destroy your existing Firefox profile with the beta version.
Create a new profile and start Firefox with it. Then install a browser extension that uses the Native Messaging API. If everything is set up correctly, a system popup should ask if Firefox is allowed to start WebExtensions.
You can try this with the Gnome Extensions website. Open webpage extensions.gnome.org and install “Extension GNOME Shell Integration” and allow access for WebExtension. Then install the associated host program with “sudo apt install chrome-gnome-shell”. You should then be able to manage the extensions installed on your system under “Installed Extensions”. (Ignore the error message that host connector does not support API v6.)
If Firefox doesn’t ask for permission for WebExtensions, there is a curious solution: Check the permissions for the Firefox snap package with the Flatpak command line command.
sudo apt install flatpak flatpak permission-show snap.firefox
The command should show a table of permissions, with an entry for each native messaging service set up on a separate line. If necessary, adjust the authorization. Use the entries in the table as a template. With the following commands you allow the extensions for the Gnome Shell integration and KeepassXC access to the native messaging services.
flatpak permission-set webextensions org.gnome.chrome_gnome_shell snap.firefox yes flatpak permission-set webextensions org.keepassxc.keepassxc_browser snap.firefox yes
universal solution
With Canonical’s otherwise frequent special paths, it’s commendable that the Ubuntu developers have chosen an approach that solves the problem in general. In principle, the portal for WebExtension works with Chrome browsers (Google Chrome, Chromium, Vivaldi, …) as well as with Flatpak. These only have to be expanded to include the new interface.
The PKCS#11 interface for smart cards is also affected by the sandbox problem. Oliver Tilloy is optimistic that he will soon be able to implement a portal for this as well. First of all, however, the WebExtension portal should prove itself in practice.