diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index 2f22284d..34585bf3 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -552,8 +552,27 @@ in
     wget.sandbox.net = "all";
     wget.sandbox.whitelistPwd = true;  # saves to pwd by default
 
+    w3m.sandbox.method = "bwrap";
+    w3m.sandbox.wrapperType = "wrappedDerivation";
+    w3m.sandbox.net = "all";
+    w3m.sandbox.extraHomePaths = [
+      # little-used feature, but you can save web pages :)
+      "tmp"
+    ];
+
     whalebird.persist.byStore.private = [ ".config/Whalebird" ];
 
+    # TODO: these live in /libexec
+    # xdg-desktop-portal-gtk.sandbox.method = "bwrap";
+    # xdg-desktop-portal-gtk.sandbox.wrapperType = "inplace";
+    # xdg-desktop-portal-gtk.sandbox.whitelistDbus = [ "user" ];  # speak to main xdg-desktop-portal
+    # xdg-desktop-portal-gtk.sandbox.whitelistWayland = true;
+
+    # xdg-desktop-portal-wlr.sandbox.method = "bwrap";  # TODO:sandbox: untested
+    # xdg-desktop-portal-wlr.sandbox.wrapperType = "inplace";
+    # xdg-desktop-portal-wlr.sandbox.whitelistDbus = [ "user" ];  # speak to main xdg-desktop-portal
+    # xdg-desktop-portal-wlr.sandbox.whitelistWayland = true;
+
     xdg-terminal-exec.sandbox.enable = false;  # xdg-terminal-exec is a launcher for $TERM
     xterm.sandbox.enable = false;  # need to be able to do everything