[Pitch/Idea] Firefox flatpak extension to run KeePassXC with a flatpaked Firefox?

It is a well-known problem that you cannot run flatpak’ed Firefox together with KeePassXC. For security reasons though, you may want to flatpak Firefox.

Also explained a (now somewhat outdated, but see replies, solution) here in this thread:

Problem

The issue appears as follows:

  1. Install the official Firefox flatpak for Linux: Install Firefox on Linux | Flathub
  2. Install KeePassXC desktop application.
  3. Install the KeePassXC browser extension (add-on/WebExtension)
    → Now try to connect → it will not work due to flatpak sandboxing.

Idea

Now, my proposed solution is based on this idea:

Apparently, you can solve it by two simple steps:

  1. keepasxc-proxy binary to Firefox’s sandbox (it needs to be statically linked though, or the Rust version)
  2. Allowing Firefox to access the socket of KeePassXC which is just flatpak override --filesystem=xdg-run/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer org.mozilla.firefox

This now can be shipped by a thing called flatpak extensions (which work like plugins), because flatpak supports this: Extensions - Flatpak documentation

So the setup whole step would become:

  1. Install the official Firefox flatpak for Linux: Install Firefox on Linux | Flathub
  2. Install KeePassXC desktop application.
  3. Install the KeePassXC browser extension (add-on/WebExtension)
  4. New: (at any point of time) Install the flatpak extension for KeePassXC.

IMHO, this would be a very big achievement and improvement already. I mean especially if it is compared against the thing “not working at all”.
And as alternative solutions are not there yet, maybe this is a good idea?

Also, could it be published on Flathub (by someone else) and still work in the official Firefox flatpak?

I could not make an up-to-date screenshot of how that would be shown in GNOME Software, but in the past at least you could see extensions there (called “Add-ons”, apparently):

(Viewing GIMP in GNOME Software 47.2 though does not show any of these, I am unsure whether GIMP or GNOME-Software changed here.)

In the end, if it is shown here, that would just be one additional click.

Questions

I don’t know how difficult developing such a flatpak extension would be and I don’t know whether it would work as problems have recently already been reported.

The real solution

…unfortunately still awaits. The xdk-portal for native messaging has no solution yet:

1 Like

To be honest without this working. flatpak browser wise is pointless. yea you can do the workaround but normal users wont do that an will just think its broken. An send tickets if at all to the wrong people.
As it stands its a wall to immutable desktops if they don’t have layering where you can just install the browser on the system. Like with ostree. Though that’s still more then a normal user would do.

Seriously, do some of us really wonder how everything binary continues to manifest such a privacy/security disaster…even “informed” users simply don’t innerstand the cost of the “tyranny of convenience”, along with the dark destructive nature of effortless. If one doesn’t want or appreciate an application sandboxed, simply don’t use it. D’oh!