While I'd like to maintain backwards compatibility in a point release, I feel that the security of our users takes precedence. We should make sure to add a note to the release notes for Infusion 1.5 about why Flash support for the uploader was removed.
+1 Justin On May 1, 2014, at 9:46 AM, Clark, Colin <[email protected]> wrote: > Hi everyone, > > I have discovered that SWFUpload, the Flash-based backend that we use for the > Uploader on legacy (i.e. old Internet Explorer) browsers, has an unpatched > cross-site scripting vulnerability. I’ve filed a JIRA ticket about this issue > here: > > http://issues.fluidproject.org/browse/FLUID-5354 > > SWFUpload has, sadly, always represented some of the worst and most brittle > code we’ve encountered. Replacing it is costly, and time are changing. Our > plan for post-1.5 has been to drop support for legacy (i.e. non latest > version) browsers. This would have involved removing Flash support in the > Uploader anyway. > > Given the severity of this issue, I am proposing that we go ahead and drop > Flash support from the Uploader in the Infusion 1.5 release. On legacy > browsers such as IE 8 and 9, the simple file uploader will be delivered > instead. Modern browsers will get the feature-rich HTML5 version. > > Colin > > --- > Colin Clark > Lead Software Architect, > Inclusive Design Research Centre, OCAD University > http://inclusivedesign.ca > > _______________________________________________________ > fluid-work mailing list - [email protected] > To unsubscribe, change settings or access archives, > see http://lists.idrc.ocad.ca/mailman/listinfo/fluid-work _______________________________________________________ fluid-work mailing list - [email protected] To unsubscribe, change settings or access archives, see http://lists.idrc.ocad.ca/mailman/listinfo/fluid-work
