Hi there… Currently running all my browsers in snaps - now due to confinement (I assume), I cannot open any local files. What triggered this was that for example, I use the fish shell of which has a command called fish_config which spawns a local config page… And I keep getting permission denied in all snapped browsers. For example, in this case, it would be something like: file:///home/dustin/.cache/fish/web_config-JII9K2.html. And I’m sure devs working local may have this type of issue. Now I got around it by running the Python SimpleHTTPServer out of the directory and accessing over localhost.
Is this a use case that should be considered when packaging a browser?
chromium (and most likely other browser snaps if they declare the home plug) can read files in the user’s home directory, but that interface intentionally denies access to files in hidden (dot) folders.
So you won’t be able to view file:///home/dustin/.cache/test.html, but you should be able to view file:///home/dustin/test.html or file:///home/dustin/path/to/test.html.
@jdstrand would be able to elaborate on this, but I think the rationale is that hidden folders are more likely to contain sensitive information that random snaps should not be able to access.
Ah ok. That makes sense. I’m not sure what the best way is to deal with this. Especially since I can circumvent it with a simple python command. In some ways, it almost isn’t useful. But at the same time, looking at localhost files is at times still needed.
The default policy disallows all access in the user’s home except for the snap-specific directories in $SNAP_USER_DATA and $SNAP_USER_COMMON.
The home interface is a transitional interface that allows access to everything in the user’s home except other snap directories and toplevel hidden directories such as .gpg, .ssh, .config, .fetchmailrc, etc since these files and directories may contain sensitive data. Also, snaps can refresh and revert independently of deb/rpm/etc packages so they are not allowed to use files like ~/.config/$SNAP_NAME since that might introduce instability with packages installed via package managers.
Keep in mind that the HOME environment variable at snap runtime is set to $SNAP_USER_DATA so your snap will be able to access $HOME/.cache from it’s perspective, but that is of course ~/snap/SNAP_NAME/SNAP_REVISION, not ~/.cache. In your particular case, I suggest using os.path.join(os.environ['HOME'], '.cache', ...) or plugging the home interface and picking a non-hidden-toplevel directory.
