Firejail: firefox '<url>' no longer works?

G'day @rieje and thanks for the report!
I'm also running fully-updated Arch (the only obvious difference from your setup being that I built firejail from the latest code on GitHub) and firefox 'twitter.com' works without problems for me.

Can you test a few things for me?

1. Does firefox 'twitter.com' work when you're not running Firefox in firejail?
2. If so, what happens with firejail --noprofile firefox 'twitter.com'?
3. Can you try disabling any Firefox extensions and seeing what happens?

Cheers!
Fred

/usr/bin/firefox 'twitter.com' (which does not use firejail) works as stated. firefox 'twitter.com' for me uses /usr/local/bin firefox, which is a wrapper I've made that uses firejail, and that does not work for me any more, hence this issue (it used to work).

firejail --noprofile firefox 'twitter.com' works, but I get the warning:

Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features

despite closing all instances of Firefox.

I disabled all Firefox extensions and it hasn't changed anything. I'm using the Arch package instead of building the latest code on Github--maybe you can try the Arch package and see if you experience the same issue I'm having.

Thanks.

Warning: an existing sandbox was detected.

That is caused because firefox is already a symlink to firejail, due to firecfg. Its equlivant to running firejail /usr/bin/firejail /usr/bin/firefox

Try firejail --noprofile /usr/bin/firefox instead.

And as a side, I aswell cannot repro this issue.

Both firejail --noprofile /usr/bin/firefox 'twitter.com' and firejail /usr/bin/firefox 'twitter.com' works, so I guess something is wrong with my /usr/local/bin/firefox script that leads to firefox 'twitter.com' not working for me (since the script is in /usr/local/bin and has priority over /usr/bin/firefox). I don't recall changing it though and it worked previously.

Can you see if it works? Thanks.

@rieje I just tested your script and am still not able to reproduce this issue.

Are you using a weird shell like fish or anything?

I am using bash/zsh and have always used them when it worked. How about try the script with my firefox.profile?

@rieje nothing in your profile should cause that, at least not that I see.

This is an odd one.

For what it's worth, I am not seeing this issue with the script you posted. Nothing that is configurable in profiles can prevent command-line args parsing as far as I know, so I don't think the issue is there. Can you do a which firefox and a cat $(which firefox) and post the output (don't post the output of the second one if it's a binary file 😛)? I have a sneaking suspicion something else has priority over your script and that's why you're seeing this behavior.

$ which firefox

/usr/local/bin/firefox

$ cat $(which firefox)

#!/usr/bin/env sh

# Firefox wrapper to launch in a temporary firejail sandbox in Private Browsing mode.

/usr/bin/firejail --profile="${HOME}/.config/firejail/firefox.profile" --private /usr/bin/firefox -no-remote --private "$@"

Hmm. And manually running the command in the script with an argument works? That is, try running /usr/bin/firejail --profile="${HOME}/.config/firejail/firefox.profile" --private /usr/bin/firefox -no-remote --private google.com (for example) to see if that works.

That exact command works, but simply replacing the argument google.com with twitter.com doesn't. I suppose that's the root of the error. Very strange--is this a bug of Firefox then?

But twitter.com works for me...

I triple-checked and it doesn't for me Going to make a thread on the Firefox subreddit and see if I can find some answers, this is very strange. Thanks.

@rieje could you try github.com?

That unfortunately also doesn't work. I even tried prepending www. and https://www. to it.

Do any other URLs work at all? How about mozilla.com?

@chiraag-nataraj yea. I thought it might've been an OCSP issue or something. github.com and twitter.com both use DigiCert.

Firefox hard fails when it cannot verify an EV cert.

OCSP servers can be blocked or even frequently go down. I'd expect it to show an error for that, but you never know.

Based on what @SpotComms said, I checked my mozilla.cfg (list of customized about:config settings) since I remember having some OCSP settings. Turns out disabling those didn't seem to fix the issue, but I found out that lockPref("privacy.sanitize.sanitizeOnShutdown", true); appears to be the culprit. Can anyone confirm so I can close this issue as it appears to be Firefox-related?

Curious since I don't see how this particular setting can cause the undesirable behavior.

@rieje just tested, that was indeed it. Weird. It doesn't seem to be a known issue, feel free to report it to Mozilla. https://bugzilla.mozilla.org/buglist.cgi?quicksearch=sanitizeOnShutdown