icecat 91 can't display chinese font in many web page

  • Open
  • quality assurance status badge
Details
4 participants
  • Z572
  • Dr. Arne Babenhauserheide
  • ison
  • Mark H Weaver
Owner
unassigned
Submitted by
Z572
Severity
normal
Z
D
D
Dr. Arne Babenhauserheide wrote on 29 Oct 2021 16:05
(name . Z572)(address . 873216071@qq.com)
87mtmsc4ds.fsf@web.de
Hi,

Z572 via Bug reports for GNU Guix <bug-guix@gnu.org> writes:

Toggle quote (2 lines)
> after update to 91, icecat can't display chinese font for many web page:

Thank you for your report!

Does it help to run

fc-cache -rv

on the commandline?

Best wishes,
Arne
--
Unpolitisch sein
heißt politisch sein,
ohne es zu merken.
draketo.de
-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEE801qEjXQSQPNItXAE++NRSQDw+sFAmF7/88QHGFybmVfYmFi
QHdlYi5kZQAKCRAT741FJAPD6+aPD/wPqVgeecS7P7H833H9rbC21MLX8yrA5+4M
WMRlCGmHp9dO1B3XtvtaDKi4H+UTZpuruiiwwBq4rlV3OSLG3HoIwLWvgnjuGf7u
Xyg1MBOqrN4LjTaaNpzoerKS2WpNp3c+va0vaDdH026NqexaINNpKThzLzbeCrG4
v1vMsNl+15D5Oi/clETwagc6OHAKjYGvwyXM+sudhxBP7xw827cR1teyRdATb+hN
40lAz4rlIzzlA9YCYwK1g+wrRri2x84ATooRjYyBOHz8qvvBuGXAfpyYj45GjErY
HPZ8mAXWneVhSAPWSef0RtTB3IJbvpp4u7EMMnepEu8Zfajcg7YAAad5ZD3RGLhj
QVFcsBOBffr3JAWwi9H1d3P3gBSVAKX20PnJn487RfxvpDWAVsfPsgUN4MNZLHJH
SIYC8X21vdQel9aIVZ6M2INsVXzk9lpEKsHOyIqesADldZWwGMRfYQMeqJYjWKCd
c3wTFcxjtUtqbw8tgAfsl5OsVS4YpK1e+ssuP3zN8a4JwMbqNJvzOl12OnxCm5Vk
iXB8ByU2IFRROEnuR5t3Pk6K2xksrv0zB6DnPx8ih4PgpBCwWoZrvqPfGF4BSWgT
ST1JcQod5CAkyPh59D/h/Upnrhx+5xpLkf+514MjnoY5mdBwjsSooQsCdNsXk6K/
w+BEXqUfD4jEBAEBCAAuFiEE3Si95tmHXKvOSosd3M8NswvBBUgFAmF7/88QHGFy
bmVfYmFiQHdlYi5kZQAKCRDczw2zC8EFSKSzA/wNeIARZvjaqEc9qUAVnJVo1Cpk
Yk86KVjnHFJvdbRU8BVId16tZaKBu/Z1/H4O57nClNWJ8GWOuvlvry/fk/akjiJF
k5hQne1ZyeM/lDkMyXRk7j3YPzsb6uuQJDHelPw5E/k1HrxJwLA7K2JkzywTtXQ1
xNUXT+tHODr9w4uJgQ==
=mgB/
-----END PGP SIGNATURE-----

M
M
Mark H Weaver wrote on 29 Oct 2021 22:16
87tugzvb58.fsf@netris.org
Z572 via Bug reports for GNU Guix <bug-guix@gnu.org> writes:
Toggle quote (2 lines)
> after update to 91, icecat can't display chinese font for many web page:

Thanks for the report.

As a temporary workaround, it might help to visit <about:config> and
change the setting for "security.sandbox.content.read_path_whitelist"
to contain simply "/gnu/store/".

Doing so will make your IceCat do what all other modern web browsers in
Guix do: simply give the browser sandbox access to *all* of /gnu/store/.
The disadvantage of doing so is that the sandbox will then able to see
the complete list of Guix-installed software components installed on
your system, as well as the precise version numbers of those software
components.

To my knowledge, IceCat is the only modern web browser packaged in Guix
that attempts to build a precise whitelist of directories within
/gnu/store/ that the sandbox is given access to.

When updating our Guix package to IceCat 91, I discovered that it is now
necessary to add font directories to the whitelist, whereas that was not
needed in IceCat 78. For now, I've added 'font-dejavu' as an explicit
input to our 'icecat' package, and added its font/share directory to the
whitelist. However, I can see now that this solution is not adequate.

To be continued...

Mark

--
Disinformation flourishes because many people care deeply about injustice
but very few check the facts. Ask me about https://stallmansupport.org.
I
(name . Dr. Arne Babenhauserheide)(address . arne_bab@web.de)
87h7czeda1.fsf@airmail.cc
I'm not entirely sure if this is related, but after upgrading to 91
icecat would no longer use fonts from anywhere but my home directories
(~/.fonts or ~/.local/share/fonts).
And changing the whitelist to /gnu/store doesn't fix it.

What's strange is that the fonts are still listed in the icecat font
settings, but it won't use them. Even if I uncheck the box to allow
pages to choose their own fonts.

For example my LiberationSans font stopped working. But if I copy it (or
symlink it) to my ~/.fonts then it works.
NOTE: I test it by changing security.sandbox.content.read_path_whitelist
in about:config to "/gnu/store", closing icecat, running fc-cache -fv
(both as root and normal user), then opening icecat again. And it still
only uses LiberationSans if it gets copied to my home.
M
M
Mark H Weaver wrote on 30 Oct 2021 01:52
87mtmrv16a.fsf@netris.org
ison <ison@airmail.cc> writes:
Toggle quote (3 lines)
> NOTE: I test it by changing security.sandbox.content.read_path_whitelist
> in about:config to "/gnu/store"

That won't work. As I recall, there *must* be a slash at the end of
each directory in the whitelist, as in "/gnu/store/", not just
"/gnu/store". Does that make a difference for you?

Thanks,
Mark

--
Disinformation flourishes because many people care deeply about injustice
but very few check the facts. Ask me about https://stallmansupport.org.
I
(name . Mark H Weaver)(address . mhw@netris.org)
87sfwjcmpz.fsf@airmail.cc
Mark H Weaver <mhw@netris.org> writes:
Toggle quote (8 lines)
> ison <ison@airmail.cc> writes:
>> NOTE: I test it by changing security.sandbox.content.read_path_whitelist
>> in about:config to "/gnu/store"
>
> That won't work. As I recall, there *must* be a slash at the end of
> each directory in the whitelist, as in "/gnu/store/", not just
> "/gnu/store". Does that make a difference for you?

That fixed it for me. Thanks for the help.
Z
(name . Mark H Weaver)(address . mhw@netris.org)(address . 51478@debbugs.gnu.org)
tencent_79CBBF2C9DF7728492B45AB7CDBCD483AC07@qq.com
I add "/run/current-system/profile/share/fonts/" to
"security.sandbox.content.read_path_whitelist" fixed it for me.

Thanks for the help.


Mark H Weaver <mhw@netris.org> writes:

Toggle quote (31 lines)
> Z572 via Bug reports for GNU Guix <bug-guix@gnu.org> writes:
>> after update to 91, icecat can't display chinese font for many web page:
>
> Thanks for the report.
>
> As a temporary workaround, it might help to visit <about:config> and
> change the setting for "security.sandbox.content.read_path_whitelist"
> to contain simply "/gnu/store/".
>
> Doing so will make your IceCat do what all other modern web browsers in
> Guix do: simply give the browser sandbox access to *all* of /gnu/store/.
> The disadvantage of doing so is that the sandbox will then able to see
> the complete list of Guix-installed software components installed on
> your system, as well as the precise version numbers of those software
> components.
>
> To my knowledge, IceCat is the only modern web browser packaged in Guix
> that attempts to build a precise whitelist of directories within
> /gnu/store/ that the sandbox is given access to.
>
> When updating our Guix package to IceCat 91, I discovered that it is now
> necessary to add font directories to the whitelist, whereas that was not
> needed in IceCat 78. For now, I've added 'font-dejavu' as an explicit
> input to our 'icecat' package, and added its font/share directory to the
> whitelist. However, I can see now that this solution is not adequate.
>
> To be continued...
>
> Mark


--
over
M
M
Mark H Weaver wrote on 2 Nov 2021 18:04
(name . Z572)(address . 873216071@qq.com)(address . 51478@debbugs.gnu.org)
87o872mqts.fsf@netris.org
Hi,

Z572 <873216071@qq.com> writes:
Toggle quote (3 lines)
> I add "/run/current-system/profile/share/fonts/" to
> "security.sandbox.content.read_path_whitelist" fixed it for me.

Thanks! One very important note: you should "reset" this customization
after updating to IceCat 91.3.0, or else IceCat will stop working
correctly after some future update of Guix. The reason is that the
whitelist contains several other directories within /gnu/store/, and
those directory will need to be updated whenever those components are
updated in Guix. For example, when 'ffmpeg' is updated to a newer
version, or one of its dependent libraries is updated, the directory
name /gnu/store/…-ffmpeg-4.4 will change; if you don't update the
whitelist accordingly, video playback will stop working.

In the IceCat 91.3.0 update that I pushed a few hours ago, I added
"/run/current-system/profile/share/fonts/" to the default whitelist.

So, I suggest that you update to IceCat 91.3.0 at your earliest
opportunity, and then visit <about:config>, navigate to the
"security.sandbox.content.read_path_whitelist" setting, and click on its
"reset" button (the one with an arrow pointing to the left), to erase
the customization of that setting.

Note that it is not enough to simply remove the directory that you
added. You must click the reset button on that customization in order
to allow it to be automatically updated in the future.

* * *

Going forward, I think that we should create a patch for IceCat
analogous to the webkitgtk-bind-all-fonts.patch that Liliana wrote for
WebKitGTK. I think that all of the directories that currently comprise
the default value of "security.sandbox.content.read_path_whitelist"
should instead be *implicitly* added to the whitelist, in *addition* to
the contents of "security.sandbox.content.read_path_whitelist". That
would enable users to customize that setting without having to manually
keep the /gnu/store/…/ entries updated.

I'll keep this bug open for now, pending a more proper fix.

Thanks,
Mark

--
Disinformation flourishes because many people care deeply about injustice
but very few check the facts. Ask me about https://stallmansupport.org.
Z
(name . Mark H Weaver)(address . mhw@netris.org)(address . 51478@debbugs.gnu.org)
tencent_E1A4B3F672932C35240BF2EF43E7AEDCA505@qq.com
thanks for reminding :) .

Mark H Weaver <mhw@netris.org> writes:

Toggle quote (46 lines)
> Hi,
>
> Z572 <873216071@qq.com> writes:
>> I add "/run/current-system/profile/share/fonts/" to
>> "security.sandbox.content.read_path_whitelist" fixed it for me.
>
> Thanks! One very important note: you should "reset" this customization
> after updating to IceCat 91.3.0, or else IceCat will stop working
> correctly after some future update of Guix. The reason is that the
> whitelist contains several other directories within /gnu/store/, and
> those directory will need to be updated whenever those components are
> updated in Guix. For example, when 'ffmpeg' is updated to a newer
> version, or one of its dependent libraries is updated, the directory
> name /gnu/store/…-ffmpeg-4.4 will change; if you don't update the
> whitelist accordingly, video playback will stop working.
>
> In the IceCat 91.3.0 update that I pushed a few hours ago, I added
> "/run/current-system/profile/share/fonts/" to the default whitelist.
>
> So, I suggest that you update to IceCat 91.3.0 at your earliest
> opportunity, and then visit <about:config>, navigate to the
> "security.sandbox.content.read_path_whitelist" setting, and click on its
> "reset" button (the one with an arrow pointing to the left), to erase
> the customization of that setting.
>
> Note that it is not enough to simply remove the directory that you
> added. You must click the reset button on that customization in order
> to allow it to be automatically updated in the future.
>
> * * *
>
> Going forward, I think that we should create a patch for IceCat
> analogous to the webkitgtk-bind-all-fonts.patch that Liliana wrote for
> WebKitGTK. I think that all of the directories that currently comprise
> the default value of "security.sandbox.content.read_path_whitelist"
> should instead be *implicitly* added to the whitelist, in *addition* to
> the contents of "security.sandbox.content.read_path_whitelist". That
> would enable users to customize that setting without having to manually
> keep the /gnu/store/…/ entries updated.
>
> I'll keep this bug open for now, pending a more proper fix.
>
> Thanks,
> Mark


--
over
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 51478@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 51478
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch