暂无描述

Rob Austein b7434629d7 Icky hack 5 年之前
.dockerignore 60eee0111d First public version 5 年之前
.gitignore 27d1b74e64 Hack for JavaSE instead of OpenJDK 5 年之前
Dockerfile d0eb10aebb Working, ish 5 年之前
Makefile f03f999dd7 Try switching to Ubuntu for icedtea-plugin 5 年之前
README.md b7434629d7 Icky hack 5 年之前
create.sh f03f999dd7 Try switching to Ubuntu for icedtea-plugin 5 年之前
icewm.menu d0eb10aebb Working, ish 5 年之前
ratpoisonrc 52bd9bb98c Switch to ratpoison 5 年之前
run.sh f03f999dd7 Try switching to Ubuntu for icedtea-plugin 5 年之前
startup.sh d0eb10aebb Working, ish 5 年之前

README.md

Fireduck

Waterfox running under Xvnc inside a Docker container, a demented tool to solve a demented problem.

Occasionally one needs to run dangerous code in a web brower, eg, some dodgy Java app which is the only available interface to some critical resource. Running this in one's normal web browser is a bad idea.

So what one really wants here is a burner web browser. Here you go.

See create.sh and run.sh for ways one might use the image.

Something along the lines of the run.sh formulation might work well as the command portion of a tunneling ssh -L 5900:127.0.0.1:5900 command.

This version is based on Ubuntu rather than Debian, because I was trying to get the icedtea-web Java Plugin stuff to work. Didn't work, but then I tried a recipe for getting Java SE instead of OpenJDK, and that does seem to work. Might work equally well on Debian.

Sadly, this approach requires one to download JRE directly from Oracle, get an account, and check through a license agreement, so I can't just give it away, you'll have to download the JRE yourself.

Kate's reference on installing Java

Even with this, Java still whines a lot when dealing with the kind of crappy old IPMI consoles that require this insanity in the first place. Among other things, Java whines that the crappy Java app supplied by IPMI isn't signed properly (true), and therefore refuses to run it (why were we doing this again?). Once one gets past that, one has to argue with Waterfox a bit to get it to believe that you want to use javaws as the launcher for jnlp files.

You can bypass the Java whining by prepopulating /root/.java/deployment/security/exception.sites with a URL whitelist. The format appears to be one URL per line, no comments or other formatting. Example:

https://ipmi.foo.example.org
https://ipmi.bar.example.org

There's probably some way to preset Waterfox's MIME handler for jnlp files to run /usr/bin/javaws but after working out all of the above I lack the patience to dig further today.

Yeah, there's a way, and it's disgusting: pre-populate the Waterfox config tree, then overwrite or edit handlers.json. Something like this would work for the pre-population step:

waterfox --headless & waterfox=$!
sleep 2
kill -HUP $waterfox

Then either blindly cp or use a small Python script to edit the JSON. The snippet we want to add is:

        "application/x-java-jnlp-file": {
            "action": 2,
            "extensions": [
                "jnlp"
            ],
            "handlers": [
                {
                    "name": "javaws",
                    "path": "/usr/bin/javaws"
                }
            ]
        }

as another entry in the mimeTypes section.

>>> import json
>>> handlers = json.load(open("handlers.json"))
>>> handlers["mimeTypes"]["application/x-java-jnlp-file"]
{u'action': 2, u'extensions': [u'jnlp'], u'handlers': [{u'path': u'/usr/bin/javaws', u'name': u'javaws'}]}