diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-14 10:58:37 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-14 10:58:37 +0100 |
| commit | 3fc4705b6c711871a920290feef138694e72d29a (patch) | |
| tree | 8e2dfddb3d930fda7c4a8972a1086782b7daad17 /firefox | |
| parent | 726005786ab398e89673bf8c141e50645f676c57 (diff) | |
| download | dotfiles-3fc4705b6c711871a920290feef138694e72d29a.tar.gz dotfiles-3fc4705b6c711871a920290feef138694e72d29a.tar.bz2 dotfiles-3fc4705b6c711871a920290feef138694e72d29a.zip | |
feat: teams autostart, llama-cpp-vulkan ignore, snxctl-chromium wrapper
systemd/user/teams-{sii,xsight}.service: autostart both Teams flatpak
profiles on sway-session.target login. KillMode=mixed so SIGTERM hits
only the wrapper process — both instances share the same flatpak app
id, so killing by app id would take down the sibling instance. A 15s
SIGKILL fallback covers the case where Electron tray-hides instead of
quitting. Both units listed in systemd-units/user.txt.
etc/pacman.conf: IgnorePkg = llama-cpp-vulkan. The AUR package rebuilds
on every llama.cpp commit (multi-hour build). Update manually with
`paru -S llama-cpp-vulkan` when intended.
snxctl-chromium wrapper:
- dot_local/share/snx-rs/bin/xdg-open: shim that flatpak-runs
ungoogled-chromium, used only by snx-rs.
- dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf:
drop-in prepending that dir to the daemon's PATH so snx-rs's
opener-crate call to xdg-open lands in chromium, without affecting
xdg-open for any other process.
- dot_local/bin/snxctl-chromium: convenience wrapper that
daemon-reloads and restarts snx-rs.service if the drop-in isn't yet
applied, then execs `snxctl connect`.
firefox/user-overrides.js: revert the dom.security.https_only_mode.
upgrade_local and network.lna.local-network-to-localhost.skip-checks
prefs — they didn't actually fix the SAML flow. Replaced with a
comment pointing to the wrapper instead.
Diffstat (limited to 'firefox')
| -rw-r--r-- | firefox/user-overrides.js | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/firefox/user-overrides.js b/firefox/user-overrides.js index 6265f95..52059c2 100644 --- a/firefox/user-overrides.js +++ b/firefox/user-overrides.js @@ -29,14 +29,16 @@ user_pref("media.gmp-manager.url", "https://aus5.mozilla.org/update/3/GMP/%VERSI /** Network **/ user_pref("network.dns.disableIPv6", false); // keep IPv6 enabled -/** Loopback callbacks (VPN/SSO clients like snx-rs, Forticlient) **/ -// snx-rs and similar VPN clients land SAML callbacks on http://127.0.0.1:<port>/<token>. -// LibreWolf hardens beyond arkenfox by force-upgrading loopback to HTTPS and enabling -// LNA blocking; both break the plain-HTTP loopback handoff. Restoring stock Firefox / -// arkenfox behaviour for loopback only. arkenfox 1245 deliberately leaves upgrade_local -// commented out and does not touch network.lna.*. See LibreWolf issues #2954, #2962. -user_pref("dom.security.https_only_mode.upgrade_local", false); -user_pref("network.lna.local-network-to-localhost.skip-checks", true); +// NOTE on snx-rs SAML loopback callbacks (Check Point VPN): +// LibreWolf force-upgrades http://127.0.0.1:<port>/<token> to HTTPS and +// enables LNA blocking, which both break the snx-rs SAML handoff. +// `dom.security.https_only_mode.upgrade_local = false` and +// `network.lna.local-network-to-localhost.skip-checks = true` were tried +// here and did NOT actually fix the SAML flow — left disabled. The +// working fix is the wrapper script ~/.local/bin/snxctl-chromium, which +// routes snx-rs's xdg-open through flatpak ungoogled-chromium via a +// systemd --user drop-in. See dot_local/share/snx-rs/bin/xdg-open and +// dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf. /** Resist Fingerprinting **/ user_pref("privacy.resistFingerprinting.testGranularityMask", 4); |