Re: Intent to implement and ship: Blocking FTP subresources

2018-04-10 Thread Frederik Braun 


On 09.04.2018 15:13, Tom Schuster wrote:
> Summary: All FTP subresources in HTTPs pages (this also includes blob:
> etc) will be blocked. Opening FTP links as toplevel documents is still
> possible.
> 
> Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1404744
> 
> Platform coverage: All
> Target release: Firefox 61 (this already landed, but we forgot to send
> this, sorry!)
> Preference behind which this will be implemented: None
> Is this feature enabled by default in sandboxed iframes: Yes, enabled 
> everywhere
> DevTools bug: None

For those who have wondered about the same.
If you try loading an FTP url in an iframe, we show the following
warning in the DevTools:

Loading FTP subresource within http(s) page not allowed (Blocked loading
of: “ftp://evil.com/”)

> Do other browser engines implement this?
> Chrome shipped in M62?
> web-platform-tests: No
> Secure contexts: n/a
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
> 
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to implement and ship: Blocking FTP subresources

2018-04-09 Thread Tom Schuster 
Good idea. Opened a bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1452701

At least in the Chrome bug somebody was complaining that web cam page
was broken by this change. Seems like the reloading image was embedded
over FTP.

On Mon, Apr 9, 2018 at 5:54 PM, Patrick McManus  wrote:
> imo, you really need to add a pref to cover this (I'm not saying make it
> opt-in, just preffable.). It will break something somewhere and at least you
> can tell that poor person they can have compat back via config.
>
> It also has a very small possibility of breaking enterprises or something we
> would discover late, and we would want to be able to push a pref to fix
> that.
>
>
> On Mon, Apr 9, 2018 at 9:13 AM, Tom Schuster  wrote:
>>
>> Summary: All FTP subresources in HTTPs pages (this also includes blob:
>> etc) will be blocked. Opening FTP links as toplevel documents is still
>> possible.
>>
>> Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1404744
>>
>> Platform coverage: All
>> Target release: Firefox 61 (this already landed, but we forgot to send
>> this, sorry!)
>> Preference behind which this will be implemented: None
>> Is this feature enabled by default in sandboxed iframes: Yes, enabled
>> everywhere
>> DevTools bug: None
>> Do other browser engines implement this?
>> Chrome shipped in M62?
>> web-platform-tests: No
>> Secure contexts: n/a
>> ___
>> dev-platform mailing list
>> dev-platform@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-platform
>>
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to implement and ship: Blocking FTP subresources

2018-04-09 Thread Patrick McManus 
imo, you really need to add a pref to cover this (I'm not saying make it
opt-in, just preffable.). It will break something somewhere and at least
you can tell that poor person they can have compat back via config.

It also has a very small possibility of breaking enterprises or something
we would discover late, and we would want to be able to push a pref to fix
that.


On Mon, Apr 9, 2018 at 9:13 AM, Tom Schuster  wrote:

> Summary: All FTP subresources in HTTPs pages (this also includes blob:
> etc) will be blocked. Opening FTP links as toplevel documents is still
> possible.
>
> Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1404744
>
> Platform coverage: All
> Target release: Firefox 61 (this already landed, but we forgot to send
> this, sorry!)
> Preference behind which this will be implemented: None
> Is this feature enabled by default in sandboxed iframes: Yes, enabled
> everywhere
> DevTools bug: None
> Do other browser engines implement this?
> Chrome shipped in M62?
> web-platform-tests: No
> Secure contexts: n/a
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform