Figure out how to sandbox meek in a sensible way.
sandboxed-tor-browser does not support meek at all. This is suboptimal since it is popular.
There's two ways forward from my perspective:
The correct fix would be to add code to spin up another sandbox container (since I do not think that even a neutered firefox process should live in the tor sandbox), for the meek helper firefox instance.
The quick and dirty way would be to use
meek_litesince obfs4proxy is allowed, and shipped versions contain the code. The downside is that it is even more distinct than meek usually is.