As Yawning’s Tor Browser Firejail profile (script?) is no longer available at the link in the dev wiki, I suppose the standard Firejail FF profile is sufficient when starting Tor Browser in Whonix or Qubes-Whonix.
See discussion in “Hardening Qubes-Whonix” thread and suggested wiki entry over there for background & motivation. Basically I want to polish off the instructions so normal people can use it consistently.
Most of the primary security features seem to be enabled in the Firejail profile for Firefox already e.g. seccomp, caps.drop all etc:
# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
# lastpass, keepassx
# experimental features
This profile is probably okay for Firefox-ESR in a straight Debian VM, but there might be further black-listing for stuff for Tor Browser in a Whonix VM.
I don’t understand that stuff about -X11 and -Xpra options (normal user here). It seems desirable because it prevents screenshots and keyloggers from accessing stuff in other displays outside of the container. Does this mean that nothing outside of the Firefox-ESR or Tor Browser VM can be snap-shotted or logged e.g. stuff running in parallel in another VM in Qubes?
@HulaHoop are you running a (working) Tor Browser Firejail profile that is heavily modified from the above in Whonix? If so, do you mind pasting it so I can reference it for other users to try?
 See https://firejail.wordpress.com/features-3/man-firejail/