thanks for reminding :) .
Mark H Weaver <m...@netris.org> writes: > Hi, > > Z572 <873216...@qq.com> writes: >> I add "/run/current-system/profile/share/fonts/" to >> "security.sandbox.content.read_path_whitelist" fixed it for me. > > Thanks! One very important note: you should "reset" this customization > after updating to IceCat 91.3.0, or else IceCat will stop working > correctly after some future update of Guix. The reason is that the > whitelist contains several other directories within /gnu/store/, and > those directory will need to be updated whenever those components are > updated in Guix. For example, when 'ffmpeg' is updated to a newer > version, or one of its dependent libraries is updated, the directory > name /gnu/store/…-ffmpeg-4.4 will change; if you don't update the > whitelist accordingly, video playback will stop working. > > In the IceCat 91.3.0 update that I pushed a few hours ago, I added > "/run/current-system/profile/share/fonts/" to the default whitelist. > > So, I suggest that you update to IceCat 91.3.0 at your earliest > opportunity, and then visit <about:config>, navigate to the > "security.sandbox.content.read_path_whitelist" setting, and click on its > "reset" button (the one with an arrow pointing to the left), to erase > the customization of that setting. > > Note that it is not enough to simply remove the directory that you > added. You must click the reset button on that customization in order > to allow it to be automatically updated in the future. > > * * * > > Going forward, I think that we should create a patch for IceCat > analogous to the webkitgtk-bind-all-fonts.patch that Liliana wrote for > WebKitGTK. I think that all of the directories that currently comprise > the default value of "security.sandbox.content.read_path_whitelist" > should instead be *implicitly* added to the whitelist, in *addition* to > the contents of "security.sandbox.content.read_path_whitelist". That > would enable users to customize that setting without having to manually > keep the /gnu/store/…/ entries updated. > > I'll keep this bug open for now, pending a more proper fix. > > Thanks, > Mark -- over
