On 07/20/2010 10:08 PM, Tim Starling wrote: > Firefogg support has been moved out to an extension, and that > extension was not complete last time I checked. There was chunked > upload support in the API, but it was Firefogg-specific, no > client-neutral protocol has been proposed. The Firefogg chunking > protocol itself is poorly thought-out and buggy, it's not the sort of > thing you'd want to use by choice, with a non-Firefogg client. >
We did request feedback for the protocol. We wanted to keep it simple. We are open to constructive dialog for improvement. > When I reviewed Firefogg, I found an extremely serious CSRF > vulnerability in it. They say they have fixed it now, but I'd still be > more comfortable promoting better-studied client-side extensions, if > we have to promote a client-side extension at all. > Yes there was a CSRF for a recently added new feature, It was fixed and had an update deployed within hours of it being reported, that was like over a year ago now? Firefogg has been reviewed it has thousands of users. We are happy to do more reviewing. At one point we did some review with some Mozilla add-on folks, and we are happy to do that process again. That is of course if a CSRF from a year ago does not permanently make the extension a lost cause? peace, --michael _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l