Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

At this point it seems unlikely that I will have time to fix this for Firefox 54, so most-likely it will be Firefox 55. --BDS On Tue, Feb 14, 2017 at 8:54 PM, 段垚 wrote: > Seems I failed to convince you to change the plan. > > So the last question is: when will this happen? >

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

Seems I failed to convince you to change the plan. So the last question is: when will this happen? 在 2017/2/15 2:54, Till Schneidereit 写道: On Tue, Feb 14, 2017 at 12:00 PM, 段垚 wrote: 在 2017/2/14 18:10, Till Schneidereit 写道: On Tue, Feb 14, 2017 at 12:14 AM, 段垚

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

On Tue, Feb 14, 2017 at 12:00 PM, 段垚 wrote: > > > 在 2017/2/14 18:10, Till Schneidereit 写道: > >> On Tue, Feb 14, 2017 at 12:14 AM, 段垚 wrote: >> >> I guess all popular softwares have exploits being traded. How this fact >>> invalidates my argument? >

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

在 2017/2/14 18:10, Till Schneidereit 写道: On Tue, Feb 14, 2017 at 12:14 AM, 段垚 wrote: I guess all popular softwares have exploits being traded. How this fact invalidates my argument? I was responding to your point about the threat declining because of the declining usage

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

On Tue, Feb 14, 2017 at 12:14 AM, 段垚 wrote: > I guess all popular softwares have exploits being traded. How this fact >>> invalidates my argument? >>> >> I was responding to your point about the threat declining because of the >> declining usage of Flash. This is demonstrably

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

在 2017/2/14 2:03, Ehsan Akhgari 写道: On 2017-02-13 11:50 AM, 段垚 wrote: 在 2017/2/14 0:24, Ehsan Akhgari 写道: On 2017-02-10 7:51 PM, 段垚 wrote: 在 2017/2/11 2:26, t...@ritter.vg 写道: On Friday, 10 February 2017 08:32:27 UTC-6, Benjamin Smedberg wrote: I thought I enumerated the harm at first,

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

On 2017-02-13 11:50 AM, 段垚 wrote: > > > 在 2017/2/14 0:24, Ehsan Akhgari 写道: >> On 2017-02-10 7:51 PM, 段垚 wrote: >>> >>> 在 2017/2/11 2:26, t...@ritter.vg 写道: On Friday, 10 February 2017 08:32:27 UTC-6, Benjamin Smedberg wrote: > I thought I enumerated the harm at first, but I'll

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

在 2017/2/14 0:24, Ehsan Akhgari 写道: On 2017-02-10 7:51 PM, 段垚 wrote: 在 2017/2/11 2:26, t...@ritter.vg 写道: On Friday, 10 February 2017 08:32:27 UTC-6, Benjamin Smedberg wrote: I thought I enumerated the harm at first, but I'll elaborate a little. 1) Flash doesn't know about and breaks our

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

On 2017-02-10 7:51 PM, 段垚 wrote: > > > 在 2017/2/11 2:26, t...@ritter.vg 写道: >> On Friday, 10 February 2017 08:32:27 UTC-6, Benjamin Smedberg wrote: >>> I thought I enumerated the harm at first, but I'll elaborate a little. >>> >>> 1) Flash doesn't know about and breaks our "current and

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

在 2017/2/11 2:26, t...@ritter.vg 写道: On Friday, 10 February 2017 08:32:27 UTC-6, Benjamin Smedberg wrote: I thought I enumerated the harm at first, but I'll elaborate a little. 1) Flash doesn't know about and breaks our "current and subdirectory only" file: origin policy. 2) Flash is a

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

在 2017/2/10 22:34, Benjamin Smedberg 写道: On Fri, Feb 10, 2017 at 12:36 AM, 段垚 wrote: 在 2017/2/10 1:28, Benjamin Smedberg 写道: On Wed, Feb 8, 2017 at 2:26 AM, 段垚 wrote: Is this just preventing auto-loading (like "click to play") or completely disable

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

On Friday, 10 February 2017 08:32:27 UTC-6, Benjamin Smedberg wrote: > I thought I enumerated the harm at first, but I'll elaborate a little. > > 1) Flash doesn't know about and breaks our "current and subdirectory only" > file: origin policy. > > 2) Flash is a high-risk attack surface: if you

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

On Fri, Feb 10, 2017 at 12:36 AM, 段垚 wrote: > > 在 2017/2/10 1:28, Benjamin Smedberg 写道: > >> On Wed, Feb 8, 2017 at 2:26 AM, 段垚 wrote: >> >> Is this just preventing auto-loading (like "click to play") or completely >>> disable Flash for non-http(s) contents?

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

I thought I enumerated the harm at first, but I'll elaborate a little. 1) Flash doesn't know about and breaks our "current and subdirectory only" file: origin policy. 2) Flash is a high-risk attack surface: if you can get somebody to download a SWF they can probably own your system. We don't

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

On 10.02.2017 01:09, Xidorn Quan wrote: > On Fri, Feb 10, 2017, at 04:29 AM, Benjamin Smedberg wrote: >> Will this also prevent loading downloaded .swf files into Firefox? This >> is >>> useful for running Flash games, which tend to work best in the browser >>> (some media players also support

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

在 2017/2/10 1:28, Benjamin Smedberg 写道: On Wed, Feb 8, 2017 at 2:26 AM, 段垚 wrote: Is this just preventing auto-loading (like "click to play") or completely disable Flash for non-http(s) contents? This is completely disabling this content. Can users get back old

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

On Fri, Feb 10, 2017, at 04:29 AM, Benjamin Smedberg wrote: > Will this also prevent loading downloaded .swf files into Firefox? This > is > > useful for running Flash games, which tend to work best in the browser > > (some media players also support loading Flash files, but their hotkeys > > tend

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

On Tue, Feb 7, 2017 at 5:19 PM, Chris Peterson wrote: > On 2/7/2017 1:15 PM, Benjamin Smedberg wrote: > >> I intend to ship a change which will prevent Flash from loading from >> file:, >> ftp:, or any other URL scheme other than http: or https:. The purpose of >> this

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

Will this also prevent loading downloaded .swf files into Firefox? This is > useful for running Flash games, which tend to work best in the browser > (some media players also support loading Flash files, but their hotkeys > tend to conflict). It will prevent them from loading via File > Open,

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

On Wed, Feb 8, 2017 at 2:26 AM, 段垚 wrote: > Is this just preventing auto-loading (like "click to play") or completely > disable Flash for non-http(s) contents? > This is completely disabling this content. > > Can users get back old behavior by flipping a preference? > That

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

Is this just preventing auto-loading (like "click to play") or completely disable Flash for non-http(s) contents? Can users get back old behavior by flipping a preference? We have developed a Firefox based tool to edit/view local EPub files, which may contain Flash. If this feature can't be

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

On Tuesday, February 7, 2017 at 10:16:27 PM UTC+1, Benjamin Smedberg wrote: > I intend to ship a change which will prevent Flash from loading from file:, > ftp:, or any other URL scheme other than http: or https:. The purpose of > this change is to increase security and limit Flash to well-tested

Re: Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

On 2/7/2017 1:15 PM, Benjamin Smedberg wrote: I intend to ship a change which will prevent Flash from loading from file:, ftp:, or any other URL scheme other than http: or https:. The purpose of this change is to increase security and limit Flash to well-tested configuraitons. Do you want to

Intent to implement and ship: only allow Flash on HTTP/HTTPS sites

I intend to ship a change which will prevent Flash from loading from file:, ftp:, or any other URL scheme other than http: or https:. The purpose of this change is to increase security and limit Flash to well-tested configuraitons. - file: same-origin security mechanism is different, and so