The issue emerged when attempting to view photos stored on an SD card from my new camera I bought. After installing Brave, double clicking images in the file manager (pcmanfm-qt) would inexplicably open them in the Brave web browser. Despite confirming that Brave wasn’t set as the default application, this behavior persisted.
Upon further investigation, it was discovered that there was no mimeapps handling configuration for default applications. To resolve this, it’s advisable to set ImageViewer (Loupe) as the default handler for image types this change effectively corrected the problem. A key best practice is my honest opinion is ensuring web browsers are restricted to only opening websites and .html files exclusively, rather than local images. This setup avoids unnecessary conflicts with dedicated image viewers.
This exact config fixed it for me.
/etc/xdg/mimeapps.list
[Default Applications]
# Open Images with Gnome ImageViewer (loupe)
image/png=org.gnome.Loupe.desktop
image/jpeg=org.gnome.Loupe.desktop
image/jpg=org.gnome.Loupe.desktop
image/gif=org.gnome.Loupe.desktop
image/bmp=org.gnome.Loupe.desktop
image/tiff=org.gnome.Loupe.desktop
image/webp=org.gnome.Loupe.desktop
image/*=org.gnome.Loupe.desktop
Notably, .svg files were excluded from this configuration since they’re typically handled by image editors or serve as application icons, requiring a different treatment than standard image formats like JPEG or PNG. By establishing clear defaults through mimeapps.list and ensuring each file type has a designated application, users can have secure defaults while still being able to change the default apps in the local user config since that preseeds over the global config. The global config just makes sure a good default is at the starting point like most of the drop in files already shipped.
P.S. - On the discussion establishing default mime types, we might want to take a look at what the PDF viewer is if any is included in the default software with the LXQT environment. It is common for people to hide malware, trackers, and unicode in .pdf’s. So it would be a good idea to isolate it to one that specially blocks access to the internet and network stack (e.g., through firewall rules or process isolation AppArmor etc.). This is the next thing I’m looking at but I briefly wanted to touch on that.
I disagree here; SVG is an XML-based file format that can even include JavaScript, it has plenty that can go wrong loading and parsing it. Loupe as an image viewer is nice because it uses the Glycin image loaders, which do the image processing in a sandbox for security reasons. People who want to edit an SVG can always right-click it, then open with Inkscape or similar.
Kicksecure and Whonix intentionally do not include a PDF viewer, because existing standalone PDF viewers are generally pretty bad from a security standpoint. Web browsers should be used to view PDFs, because they do the PDF rendering in a sandbox and are therefore likely to be safer.
I disagree here; SVG is an XML-based file format that can even include JavaScript, it has plenty that can go wrong loading and parsing it.
Wow I never even knew this about SVG and JavaScript, thanks for the lesson I can add that stuff to I learned today. Is MIME sniffing even a relevant concern or risk in user mode if your not running a server?
I think it would be good to include a default mimes list config at the very least for image types to open in loupe. Then see if there is any others that even warrant it without limiting user choice or being to restrictive or wasting time.
Web browsers should be used to view PDFs, because they do the PDF rendering in a sandbox and are therefore likely to be safer.
Ok, which browser has better sandboxing in this context? Is Chromium or Firefox based about the same?
At the end of the day probably best practice to not even open PDF’s unless disconnected from the internet (offline) or unless you trust them.
That’s somewhat of a complicated topic, it depends on the browser of course, but also on how the browser is built and what technology you run it under (for instance, Flatpak interferes somewhat with Chromium’s sandboxing). Kicksecure’s Browser wiki page has some information, but not specifically about sandboxing at the moment. Whonix uses Tor Browser directly from Tor upstream, which should be decent assuming Tor hasn’t unintentionally misconfigured the browser. If you aren’t using Tor, then I’d probably recommend Firefox from Mozilla’s upstream repo (you can install it with the Browser Choice utility in Kicksecure). It’s unlikely to be misconfigured since it comes directly from Mozilla. (Chromium’s sandboxing is theoretically possibly stronger than Firefox’s from what I’ve heard, but the Chromium package in Debian sometimes goes out of date, and the Chromium Flatpak has weakened sandboxing like mentioned above.)
From my research it I’m not quite sure I get more leaning towards Chrome but again both have JIT. I think Chrome’s V8 has been exploited more then Firefox’s SpiderMonkey or IonMonkey JIT compiler but that may or may not be relevant here?
Yeah I almost wonder if mimetypes /etc/xdg/mimeapps.list could be used to launch script/wrapper to open a browser with no networking or --js-flags=--jitless but probably not.
It’s worth noting that “more CVEs” does not necessarily equal “less secure”, but sometimes indicates “more people are looking at the code and spotting bugs”. Chromium probably has a higher number of CVEs than Firefox (I haven’t verified this), but it may still be more secure than Firefox and is just under higher scrutiny. Similarly, few or zero CVEs may simply mean that no one has tried to compromise something, not that it’s completely secure.
(On the flip side, software under higher scrutiny may come with a higher risk of in-the-wild vulnerabilities being found for it, since responsible security researchers aren’t the only ones looking for vulns in Chromium. Using a different browser that isn’t as highly researched is security by obscurity, which is generally frowned upon for good reasons, but if you aren’t relying solely or primarily on security by obscurity, it can be useful.)