diff options
| -rw-r--r-- | dot_config/waybar/executable_snx-vpn-toggle.sh | 13 | ||||
| -rwxr-xr-x | dot_local/bin/executable_snxctl-chromium | 21 | ||||
| -rw-r--r-- | dot_local/share/snx-rs/bin/executable_xdg-open | 10 | ||||
| -rw-r--r-- | firefox/user-overrides.js | 11 |
4 files changed, 2 insertions, 53 deletions
diff --git a/dot_config/waybar/executable_snx-vpn-toggle.sh b/dot_config/waybar/executable_snx-vpn-toggle.sh index f42690d..12738af 100644 --- a/dot_config/waybar/executable_snx-vpn-toggle.sh +++ b/dot_config/waybar/executable_snx-vpn-toggle.sh @@ -1,7 +1,5 @@ #!/bin/sh -# Toggle the snx-rs (Check Point) tunnel. Connect goes through the -# snxctl-chromium wrapper so SAML lands in the flatpak ungoogled -# chromium (LibreWolf blocks the 127.0.0.1:7779 callback). +# Toggle the snx-rs (Check Point) tunnel. # # Refresh the waybar custom/snx-vpn module immediately with SIGRTMIN+9. set -eu @@ -10,14 +8,7 @@ state=$(timeout 2 snxctl status 2>/dev/null || echo Disconnected) case "$state" in *"Disconnected"*) - # Detach so waybar doesn't block waiting for SAML. The inner script - # re-signals waybar when the connect attempt finishes so the badge - # flips immediately to its final state. - # shellcheck disable=SC2016 - setsid -f sh -c ' - "$HOME/.local/bin/snxctl-chromium" >/tmp/snxctl-chromium.log 2>&1 - pid=$(pidof waybar) && kill -SIGRTMIN+9 $pid 2>/dev/null || true - ' + setsid -f snxctl connect >/tmp/snxctl.log 2>&1 & ;; *) snxctl disconnect >/dev/null 2>&1 || true diff --git a/dot_local/bin/executable_snxctl-chromium b/dot_local/bin/executable_snxctl-chromium deleted file mode 100755 index c97b026..0000000 --- a/dot_local/bin/executable_snxctl-chromium +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh -# snxctl-chromium: `snxctl connect` with the flatpak ungoogled-chromium as -# the SAML browser. Bypasses LibreWolf's loopback HTTPS-upgrade + LNA block -# that stop snx-rs's 127.0.0.1:7779 SAML callback from completing. -# -# snxctl runs `opener::open(url)` in-process; opener on Linux execs -# `xdg-open` first. We prepend a private bin dir containing only an -# `xdg-open` shim that flatpak-runs ungoogled-chromium. No daemon -# tweaks needed — the override is scoped to this snxctl invocation. -set -eu - -SHIM_DIR="$HOME/.local/share/snx-rs/bin" - -if [ ! -x "$SHIM_DIR/xdg-open" ]; then - printf '%s: missing xdg-open shim at %s\n' "${0##*/}" "$SHIM_DIR/xdg-open" >&2 - exit 1 -fi - -PATH="$SHIM_DIR:$PATH" -export PATH -exec snxctl connect "$@" diff --git a/dot_local/share/snx-rs/bin/executable_xdg-open b/dot_local/share/snx-rs/bin/executable_xdg-open deleted file mode 100644 index f646200..0000000 --- a/dot_local/share/snx-rs/bin/executable_xdg-open +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/sh -# xdg-open shim that hands every URL to the flatpak ungoogled-chromium. -# -# Used by `snxctl connect` (via the snxctl-chromium wrapper) so the -# Check Point SAML callback lands in a browser that won't HTTPS-upgrade -# or LNA-block the loopback handoff to 127.0.0.1:7779. The wrapper -# prepends this directory to snxctl's PATH — this file does NOT shadow -# the system-wide xdg-open for any other process. -exec flatpak run io.github.ungoogled_software.ungoogled_chromium \ - "$@" diff --git a/firefox/user-overrides.js b/firefox/user-overrides.js index 52059c2..aa79951 100644 --- a/firefox/user-overrides.js +++ b/firefox/user-overrides.js @@ -29,17 +29,6 @@ user_pref("media.gmp-manager.url", "https://aus5.mozilla.org/update/3/GMP/%VERSI /** Network **/ user_pref("network.dns.disableIPv6", false); // keep IPv6 enabled -// NOTE on snx-rs SAML loopback callbacks (Check Point VPN): -// LibreWolf force-upgrades http://127.0.0.1:<port>/<token> to HTTPS and -// enables LNA blocking, which both break the snx-rs SAML handoff. -// `dom.security.https_only_mode.upgrade_local = false` and -// `network.lna.local-network-to-localhost.skip-checks = true` were tried -// here and did NOT actually fix the SAML flow — left disabled. The -// working fix is the wrapper script ~/.local/bin/snxctl-chromium, which -// routes snx-rs's xdg-open through flatpak ungoogled-chromium via a -// systemd --user drop-in. See dot_local/share/snx-rs/bin/xdg-open and -// dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf. - /** Resist Fingerprinting **/ user_pref("privacy.resistFingerprinting.testGranularityMask", 4); user_pref("privacy.resistFingerprinting.exemptedDomains", "meet.google.com,teams.microsoft.com"); |