Sandboxing, privacy and webapp-manager


I’m using Manjaro GNOME and am enjoying webapp-manager to access ‘evil’ websites such as Google Drive, Facebook, Instagram etc via PWAs (Progressive Web Apps). I’m using Firefox (which I’ve ‘hardened’ using this guide) to open the PWAs.

My question is: if I want to sandbox these ‘evil’ PWAs, i.e.minimize their access to data about my device, OS, browsing history, IP etc as much as possible, do I have to do anything else, or is using webapp-manager sufficient?

Normally I’d make up my own mind about something like this (e.g. I can simply use Firefox for PWAs and another browser as daily driver), but here’s the strange thing: the first time I log in to a PWA (e.g. Instagram) via webapp-manager, I get the usual Firefox prompt to save the password. I choose ‘never save for this site’. But when I close and reopen webapp-manager and then the Instagram PWA…I’m already logged in again.

Honestly, this is actually quite convenient, but clearly either Firefox or webapp-manager is saving my login details. When I directly try accessing Instagram from Firefox, I’m not logged in – so I’m guessing it’s webapp-manager. Is this correct? But then, how does it ensure the login details aren’t stored on Firefox?

I’ve already gone through webapp-manager’s Readme file from their GitHub page (linked above) and couldn’t find any info on this. If nothing else, I’d appreciate your inputs simply to satisfy my curiosity – I know I can just use Firefox only for PWAs and another browser as daily driver, but not understanding how webapp-manager works is bothering me, to be honest. Thanks a lot!

Where is it stipulated that this has any effect on containerization or privacy?
From a quick glance … all it does is ‘make a shortcut’ with a ‘single-site window’ of firefox.
I dont think it even uses a separate profile or anything like that.

For what you are after I might suggest some easy options are ‘firefox containers’ which will keep data separate even within the same ff profile, and firejail which is its own sandbox under which you can run instances of applications.

Thanks a lot! I’m definitely looking into firejail, it looks like exactly the solution I’ve been looking for. My only problem is that it’s not persistent, i.e. it won’t store login details within the firejailed app. I tried opening webapp-manager from firejail (using firejail webapp-manager on the terminal) and created a couple of web apps to test. When I closed webapp-manager and reran firejail webapp-manager, none of the web apps were there.

For now, I’ve ended up switching the Firefox web apps to use Brave instead, since webapp-manager gives you an explicit option to have isolated profiles on Brave:

It’s tedious, but I’ve basically ended up creating 8 individual Brave-based web apps (i.e. 8 individual isolated Brave profiles), added some extensions for further ‘hardening’ (uBlock Origin, Decentraleyes etc), and set each profile to autodelete all history and cached files (except login details for the specific web app) when closed. It’s not perfect, but I suppose it works for now.

You’re right, it doesn’t state so in the Readme, but I’m assuming this is the case since the ‘instance’ of Firefox on the web app doesn’t have any of the addons, bookmarks etc saved to my ‘main’ Firefox. I’m assuming that means there’s some containerization going on?