root icon indicating copy to clipboard operation
root copied to clipboard
verified publisher icon root-project

WebGUI doesn't work with snap sandboxing

Open Axel-Naumann opened this issue 1 year ago • 1 comments

Check duplicate issues.

  • [ ] Checked for duplicates

Description

Hi,

starting the webgui (new TBrowser) opens a chromium window which complains:

Your file couldn’t be accessed
It may have been moved, edited, or deleted.
ERR_FILE_NOT_FOUND

I guess this corresponds to the following process:

axel       17508    3604  4 15:51 pts/0    00:00:01     /snap/chromium/2950/usr/lib/chromium-browser/chrome --password-store --disable-features=TFLiteLanguageDetectionEnabled --window-size=1200,700 --new-window --app=file:///tmp/root_start_t9pNYd.html

Note that this is a snap package; the browser might not be allowed to access files in /tmp as per https://forum.snapcraft.io/t/can-browsers-open-local-files/3016

(I can work around this, but I thought it'd still be worthwhile to report this.)

Cheers, Axel

Reproducer

new TBrowser with web gui.

ROOT version

master

Installation method

source

Operating system

Ubuntu 24.04

Additional context

No response

Axel-Naumann avatar Sep 20 '24 13:09 Axel-Naumann

Hi Axel,

Can you try to add --allow-file-access-from-files to the command line? It can be done with the following entry in .rootrc file:

WebGui.ChromeInteractive: $prog $geometry --new-window  --allow-file-access-from-files --app='$url'  &

linev avatar Sep 23 '24 12:09 linev

WebGui.ChromeInteractive: $prog $geometry --new-window --allow-file-access-from-files --app='$url' &

@linev I confirm that this solves the issue.

Question: should this be documented? Or should we just close this issue as Won't fix, considering that it's not a safe flag? See https://stackoverflow.com/a/33801287/7471760

I think a better solution would be to allow to define a Variable in the .rootrc file, something like WebGui.TempFolder, which is /tmp by default, but can be modified to /home/user/mytmp so that it works fine with snap sandboxing.

ferdymercury avatar Aug 26 '25 21:08 ferdymercury

That is value for you in WebGui.Chrome in etc/system.rootrc file? I already implement workaround for snap chromium - if its name "/snap/bin/chromium".

See https://github.com/root-project/root/pull/18311

Probably another name variants can be tested.

And you always can redefine shell variable TMPDIR before running ROOT.

linev avatar Aug 27 '25 06:08 linev

hat is value for you in WebGui.Chrome in etc/system.rootrc file?

It's empty.

Chromium is not my default browser. What I do is the following:

root --web=on
gROOT->SetWebDisplay("chromium-browser");
new TBrowser

This starts the following process: /snap/chromium/3218/usr/lib/chromium-browser/chrome --password-store --gtk-version=3 --disable-features=TFLiteLanguageDetectionEnabled file:///tmp/root_start_zTlQy9.html

/usr/bin/chromium-browser is a shell script that starts /snap/bin/chromium with different flags depending on the desktop.

Probably another name variants can be tested. Hmm, I am not sure if this makes sense, since /usr/bin/chromium-browser could point to an APT installation that is not in snap.

And you always can redefine shell variable TMPDIR before running ROOT.

I confirm that this works, thanks for pointing. Could this trick be documented here: https://root.cern/doc/master/group__webdisplay.html?

ferdymercury avatar Aug 27 '25 07:08 ferdymercury

Try to run root --web=chrome -e 'new TBrowser'.

Current ROOT master should test snap chromium and will activate workaround.

linev avatar Aug 27 '25 08:08 linev

This works:

Try to run root --web=chrome -e 'new TBrowser'.

/snap/chromium/3218/usr/lib/chromium-browser/chrome --password-store --gtk-version=3 --disable-features=TFLiteLanguageDetectionEnabled --window-size=1200,700 --new-window --app=file:///home/user/root_start_Us0Yl8.html

This fails:

Try to run root --web=chromium-browser -e 'new TBrowser'.

/snap/chromium/3218/usr/lib/chromium-browser/chrome --password-store --gtk-version=3 --disable-features=TFLiteLanguageDetectionEnabled file:///tmp/root_start_AhgOb2.html

ferdymercury avatar Aug 27 '25 08:08 ferdymercury

So workaround works correctly when --web=chrome is set. In my mind, https://github.com/root-project/root/pull/18311 fixes the problem. And one can add few words about TMPDIR in documentation for RWebWindowsManager::ShowWindow method

linev avatar Aug 27 '25 08:08 linev

Fixed by #18311

linev avatar Aug 27 '25 08:08 linev

So workaround works correctly when --web=chrome is set.

Thanks. Do you know why it fails if --web=chromium-browser, even if it still understands that I want to use the chromium-browser and starts it?

ferdymercury avatar Aug 27 '25 08:08 ferdymercury

If fails with chromium-browser while it is not detected as snap version of chrome and therefore workaround is not applied.

linev avatar Aug 27 '25 08:08 linev