Re: Intent to unship: FTP protocol implementation

2021-02-10 Thread Mike Hommey 
On Wed, Feb 10, 2021 at 11:00:14AM +0100, Valentin Gosu wrote:
> On Wed, 10 Feb 2021 at 09:57, Mike Hommey  wrote:
> 
> > On Wed, Feb 10, 2021 at 10:45:53AM +0200, Henri Sivonen wrote:
> > > On Wed, Feb 10, 2021 at 10:37 AM Valentin Gosu 
> > wrote:
> > > > FTP support is currently disabled on Nightly.
> > > > Our current plan is for the pref flip to ride the trains with Firefox
> > 88 to
> > > > beta and release [1], meaning we would be disabling FTP a week after
> > Chrome
> > > > [2]
> > >
> > > Are we also stopping advertising the capability to act as an ftp: URL
> > > handler to operating systems? Currently, if I try to follow an ftp:
> > > URL in Gnome Terminal, it tries to launch Firefox. Is that something
> > > we advertise to Gnome or something that Gnome just knows and needs to
> > > be patched to stop knowing?
> >
> > I /think/ this comes from the .desktop file, which in most cases, comes
> > from the distro.
> >
> 
> We have this bug on file:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1667468
> We should definitely stop registering Firefox as an ftp handler.

Oh right, the external protocol service also registers.

Mike
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2021-02-10 Thread Valentin Gosu 
On Wed, 10 Feb 2021 at 09:57, Mike Hommey  wrote:

> On Wed, Feb 10, 2021 at 10:45:53AM +0200, Henri Sivonen wrote:
> > On Wed, Feb 10, 2021 at 10:37 AM Valentin Gosu 
> wrote:
> > > FTP support is currently disabled on Nightly.
> > > Our current plan is for the pref flip to ride the trains with Firefox
> 88 to
> > > beta and release [1], meaning we would be disabling FTP a week after
> Chrome
> > > [2]
> >
> > Are we also stopping advertising the capability to act as an ftp: URL
> > handler to operating systems? Currently, if I try to follow an ftp:
> > URL in Gnome Terminal, it tries to launch Firefox. Is that something
> > we advertise to Gnome or something that Gnome just knows and needs to
> > be patched to stop knowing?
>
> I /think/ this comes from the .desktop file, which in most cases, comes
> from the distro.
>

We have this bug on file:
https://bugzilla.mozilla.org/show_bug.cgi?id=1667468
We should definitely stop registering Firefox as an ftp handler.
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2021-02-10 Thread Anne van Kesteren 
On Wed, Feb 10, 2021 at 9:37 AM Valentin Gosu  wrote:
> FTP support is currently disabled on Nightly.

Does this have any impact on the URL parser? Do we still (want to?)
support the ftp scheme in form submission (to then delegate the
computed URL to some kind of handler rather than the browser)? Not
sure there are other bits in standards that are impacted by this, but
it will certainly allow for some nice cleanup in Fetch. 
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2021-02-10 Thread Mike Hommey 
On Wed, Feb 10, 2021 at 10:45:53AM +0200, Henri Sivonen wrote:
> On Wed, Feb 10, 2021 at 10:37 AM Valentin Gosu  
> wrote:
> > FTP support is currently disabled on Nightly.
> > Our current plan is for the pref flip to ride the trains with Firefox 88 to
> > beta and release [1], meaning we would be disabling FTP a week after Chrome
> > [2]
> 
> Are we also stopping advertising the capability to act as an ftp: URL
> handler to operating systems? Currently, if I try to follow an ftp:
> URL in Gnome Terminal, it tries to launch Firefox. Is that something
> we advertise to Gnome or something that Gnome just knows and needs to
> be patched to stop knowing?

I /think/ this comes from the .desktop file, which in most cases, comes
from the distro.

Mike
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2021-02-10 Thread Henri Sivonen 
On Wed, Feb 10, 2021 at 10:37 AM Valentin Gosu  wrote:
> FTP support is currently disabled on Nightly.
> Our current plan is for the pref flip to ride the trains with Firefox 88 to
> beta and release [1], meaning we would be disabling FTP a week after Chrome
> [2]

Are we also stopping advertising the capability to act as an ftp: URL
handler to operating systems? Currently, if I try to follow an ftp:
URL in Gnome Terminal, it tries to launch Firefox. Is that something
we advertise to Gnome or something that Gnome just knows and needs to
be patched to stop knowing?

-- 
Henri Sivonen
hsivo...@mozilla.com
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2021-02-10 Thread Valentin Gosu 
Hi everyone,

FTP support is currently disabled on Nightly.
Our current plan is for the pref flip to ride the trains with Firefox 88 to
beta and release [1], meaning we would be disabling FTP a week after Chrome
[2]
Firefox 89 is supposed to remove the FTP code completely [3]

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1691890
[2] https://bugs.chromium.org/p/chromium/issues/detail?id=333943#c66
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1574475

Thanks!


On Mon, 27 Apr 2020 at 13:40, Michal Novotny 
wrote:

> SFTP was never supported by Firefox.
>
> On 4/27/20 12:59 PM, nikunjbhat...@gmail.com wrote:
> > There is no information about sFTP in this page. Will sFTP work in
> Firefox? Or all FTP related functionality will be removed? Will users be
> able to list files and directories in Firefox from sFTP server?
> >
> > On Thursday, March 19, 2020 at 5:54:50 AM UTC+5:30, Michal Novotny wrote:
> >> We plan to remove FTP protocol implementation from our code. This work
> >> is tracked in bug 1574475 [1]. The plan is to
> >>
> >> - place FTP behind a pref and turn it off by default on 77 [2]
> >> - keep FTP enabled by default on 78 ESR [3]
> >> - remove the code completely at the beginning of 2021
> >>
> >> We're doing this for security reasons. FTP is an insecure protocol and
> >> there are no reasons to prefer it over HTTPS for downloading resources.
> >> Also, a part of the FTP code is very old, unsafe and hard to maintain
> >> and we found a lot of security bugs in it in the past. After disabling
> >> FTP in our code, the protocol will be handled by external application,
> >> so people can still use it to download resources if they really want to.
> >> However, it won't be possible to view and browse directory listings.
> >>
> >>
> >> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1574475
> >> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1622409
> >> [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1622410
> >
> > ___
> > dev-platform mailing list
> > dev-platform@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-platform
> >
>
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2020-04-27 Thread Michal Novotny 

SFTP was never supported by Firefox.

On 4/27/20 12:59 PM, nikunjbhat...@gmail.com wrote:

There is no information about sFTP in this page. Will sFTP work in Firefox? Or 
all FTP related functionality will be removed? Will users be able to list files 
and directories in Firefox from sFTP server?

On Thursday, March 19, 2020 at 5:54:50 AM UTC+5:30, Michal Novotny wrote:

We plan to remove FTP protocol implementation from our code. This work
is tracked in bug 1574475 [1]. The plan is to

- place FTP behind a pref and turn it off by default on 77 [2]
- keep FTP enabled by default on 78 ESR [3]
- remove the code completely at the beginning of 2021

We're doing this for security reasons. FTP is an insecure protocol and
there are no reasons to prefer it over HTTPS for downloading resources.
Also, a part of the FTP code is very old, unsafe and hard to maintain
and we found a lot of security bugs in it in the past. After disabling
FTP in our code, the protocol will be handled by external application,
so people can still use it to download resources if they really want to.
However, it won't be possible to view and browse directory listings.


[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1574475
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1622409
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1622410


___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform



___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2020-04-27 Thread nikunjbhatt84 
There is no information about sFTP in this page. Will sFTP work in Firefox? Or 
all FTP related functionality will be removed? Will users be able to list files 
and directories in Firefox from sFTP server?

On Thursday, March 19, 2020 at 5:54:50 AM UTC+5:30, Michal Novotny wrote:
> We plan to remove FTP protocol implementation from our code. This work 
> is tracked in bug 1574475 [1]. The plan is to
> 
> - place FTP behind a pref and turn it off by default on 77 [2]
> - keep FTP enabled by default on 78 ESR [3]
> - remove the code completely at the beginning of 2021
> 
> We're doing this for security reasons. FTP is an insecure protocol and 
> there are no reasons to prefer it over HTTPS for downloading resources. 
> Also, a part of the FTP code is very old, unsafe and hard to maintain 
> and we found a lot of security bugs in it in the past. After disabling 
> FTP in our code, the protocol will be handled by external application, 
> so people can still use it to download resources if they really want to. 
> However, it won't be possible to view and browse directory listings.
> 
> 
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1574475
> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1622409
> [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1622410

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2020-03-24 Thread ValdikSS via dev-platform 
Just a random Joe here, but I'd like to vote *against removing FTP support*. 
FTP is still widely used, its easy to configure and to use file transfer 
protocol. Despite its age, there still aren't really any proper full-featured 
and well-supported alternatives for FTP, one of the reason is because FTP is 
universally supported in OS and browsers while other protocols are not, and 
removing FTP support from Firefox removes "old and ugly" protocol without 
introducing any alternative for it, reducing the software functionality for end 
user.

The main advantage of the protocol is its design for file transfer only. Unlike 
more general and complex protocols like HTTP, FTP does not require for the 
administrator to setup and configure multiple complex software (web server + 
application server/interpreter + file sharing software on top of it) to perform 
one simple thing: file transfer. You can't upload whole folder without complex 
hacks via HTTP, while FTP allows to do that in one click.

File transfer with FTP:

  * Easy software setup, lots of mature server and client software for any 
platform
  * Upload privileges could be given as easy as sharing the link
  * You can download and upload whole folders
  * You can navigate through folders, download and upload files and folders 
with stock Unix and Windows console and graphical software

File transfer with HTTP:

  * Complex software setup: web server + special third-party file transfer 
software, which does not conform to any specification
  * Could not be properly used outside of web browsers
  * No functionality to download multiple files at once, only file-by-file
  * No functionality to download or upload folders

One of the argument against FTP is that it's unsecure. The plain FTP, just as 
HTTP, does not have encryption, but there's HTTPS alternative for FTP — FTPS, 
which is a TLS layer on top of FTP. I believe it could be easily implemented in 
Firefox. There's a bug for adding FTPS support which has been filled 19 (!) 
years ago
https://bugzilla.mozilla.org/show_bug.cgi?id=85464

I guess It would be acceptable if Mozilla remove FTP support but introduce it's 
alternative, WebDAV for example. WebDAV is a file transfer protocol on top of 
HTTP. It provides functionality similar to FTP, but it's not popular due to 
very limited software support (both client and server).

I ask you to consider not to remove FTP support. Despite its problems, the 
protocol still does what it is designed to do and beats its rivals. If protocol 
insecurity is the only consideration, I am willing to help by implementing FTPS 
(FTP over TLS) support and sending a patch, if that would change Mozilla's 
decision to keep this functionality. Please let me know if I can do anything, 
because I won't try to implement FTPS support if it won't be merged.

Also, Google still index FTPs. I find it strange if the user clicks on Google 
search result and it could not be opened in a browser.



On 19.03.2020 03:24, Michal Novotny wrote:
> We plan to remove FTP protocol implementation from our code. This work is 
> tracked in bug 1574475 [1]. The plan is to
>
> - place FTP behind a pref and turn it off by default on 77 [2]
> - keep FTP enabled by default on 78 ESR [3]
> - remove the code completely at the beginning of 2021
>
> We're doing this for security reasons. FTP is an insecure protocol and there 
> are no reasons to prefer it over HTTPS for downloading resources. Also, a 
> part of the FTP code is very old, unsafe and hard to maintain and we found a 
> lot of security bugs in it in the past. After disabling FTP in our code, the 
> protocol will be handled by external application, so people can still use it 
> to download resources if they really want to. However, it won't be possible 
> to view and browse directory listings.
>
>
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1574475
> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1622409
> [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1622410
>


signature.asc
Description: OpenPGP digital signature
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2020-03-24 Thread Nhi Nguyen 
Update: In light of recent events, we will only disable FTP in Nightly,
starting from 77. FTP will remain enabled in release until further notice.

On Thu, Mar 19, 2020 at 7:01 AM Michal Novotny 
wrote:

> We added the telemetry probes in bug 1579507 [1] to see how many users
> still use FTP. The usage was pretty low as you can see in bug 1570155 [2].
>
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1579507
> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1570155#c5
>
>
> On 3/19/20 10:26 AM, Johann Hofmann wrote:
> > Can you share some insight into the usage telemetry that was considered
> > for unshipping this?
> >
> > On Thu, Mar 19, 2020 at 9:02 AM Henri Sivonen  > > wrote:
> >
> > On Thu, Mar 19, 2020 at 2:24 AM Michal Novotny
> > mailto:michal.novo...@gmail.com>> wrote:
> >  > We plan to remove FTP protocol implementation from our code.
> >
> > Chrome's status dashboard says "deprecated" and
> > https://textslashplain.com/2019/11/04/bye-ftp-support-is-going-away/
> > said the plan was to turn FTP off by default in version 80. Yet, I
> > just successfully loaded ftp://ftp.funet.fi in Chrome 80 on Mac and
> in
> > Edge 82 (Canary) on Windows 10, and I'm certain I haven't touched the
> > flag in either. (The location bar kept showing the ftp:// URL, so it
> > doesn't appear to be a case of automatically trying HTTP.)
> >
> > Do we know why Chrome didn't proceed as planned? Do we know what
> their
> > current plan is?
> >
> > Do we know if Edge intends to track Chrome on this feature or to make
> > an effort to patch a different outcome?
> >
> > --
> > Henri Sivonen
> > hsivo...@mozilla.com 
> > ___
> > dev-platform mailing list
> > dev-platform@lists.mozilla.org  dev-platform@lists.mozilla.org>
> > https://lists.mozilla.org/listinfo/dev-platform
> >
>
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2020-03-19 Thread Michal Novotny 
We added the telemetry probes in bug 1579507 [1] to see how many users 
still use FTP. The usage was pretty low as you can see in bug 1570155 [2].


[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1579507
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1570155#c5


On 3/19/20 10:26 AM, Johann Hofmann wrote:
Can you share some insight into the usage telemetry that was considered 
for unshipping this?


On Thu, Mar 19, 2020 at 9:02 AM Henri Sivonen > wrote:


On Thu, Mar 19, 2020 at 2:24 AM Michal Novotny
mailto:michal.novo...@gmail.com>> wrote:
 > We plan to remove FTP protocol implementation from our code.

Chrome's status dashboard says "deprecated" and
https://textslashplain.com/2019/11/04/bye-ftp-support-is-going-away/
said the plan was to turn FTP off by default in version 80. Yet, I
just successfully loaded ftp://ftp.funet.fi in Chrome 80 on Mac and in
Edge 82 (Canary) on Windows 10, and I'm certain I haven't touched the
flag in either. (The location bar kept showing the ftp:// URL, so it
doesn't appear to be a case of automatically trying HTTP.)

Do we know why Chrome didn't proceed as planned? Do we know what their
current plan is?

Do we know if Edge intends to track Chrome on this feature or to make
an effort to patch a different outcome?

-- 
Henri Sivonen

hsivo...@mozilla.com 
___
dev-platform mailing list
dev-platform@lists.mozilla.org 
https://lists.mozilla.org/listinfo/dev-platform



___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2020-03-19 Thread Cameron McCormack 
If you plan to time the unshipping of our FTP support to be after Chrome 81, 
then please be aware that Chrome releases are currently paused on Chrome 80.

https://chromereleases.googleblog.com/2020/03/upcoming-chrome-and-chrome-os-releases.html

On Thu, Mar 19, 2020, at 8:56 PM, Michal Novotny wrote:
> According to [1], it will be turned off for all users in 81. In 80 it 
> will be turned off for 1% of users.
> 
> [1] 
> https://docs.google.com/document/d/1JUra5HnsbR_xmtQctkb2iVxRPuhPWhMB5M_zpbuGxTY/edit#heading=h.a4pkgy626xf3
> 
> 
> On 3/19/20 9:02 AM, Henri Sivonen wrote:
> > On Thu, Mar 19, 2020 at 2:24 AM Michal Novotny  
> > wrote:
> >> We plan to remove FTP protocol implementation from our code.
> > 
> > Chrome's status dashboard says "deprecated" and
> > https://textslashplain.com/2019/11/04/bye-ftp-support-is-going-away/
> > said the plan was to turn FTP off by default in version 80. Yet, I
> > just successfully loaded ftp://ftp.funet.fi in Chrome 80 on Mac and in
> > Edge 82 (Canary) on Windows 10, and I'm certain I haven't touched the
> > flag in either. (The location bar kept showing the ftp:// URL, so it
> > doesn't appear to be a case of automatically trying HTTP.)
> > 
> > Do we know why Chrome didn't proceed as planned? Do we know what their
> > current plan is?
> > 
> > Do we know if Edge intends to track Chrome on this feature or to make
> > an effort to patch a different outcome?
> > 
> 
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2020-03-19 Thread Michal Novotny 
Yes, it's OS specific, so it depends on what application is registered 
to handle FTP URI.



On 3/19/20 10:29 AM, David Teller wrote:

Out of curiosity, what external application? OS-specific?

On 19/03/2020 01:24, Michal Novotny wrote:

We plan to remove FTP protocol implementation from our code. This work
is tracked in bug 1574475 [1]. The plan is to

- place FTP behind a pref and turn it off by default on 77 [2]
- keep FTP enabled by default on 78 ESR [3]
- remove the code completely at the beginning of 2021

We're doing this for security reasons. FTP is an insecure protocol and
there are no reasons to prefer it over HTTPS for downloading resources.
Also, a part of the FTP code is very old, unsafe and hard to maintain
and we found a lot of security bugs in it in the past. After disabling
FTP in our code, the protocol will be handled by external application,
so people can still use it to download resources if they really want to.
However, it won't be possible to view and browse directory listings.


[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1574475
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1622409
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1622410
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform



___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2020-03-19 Thread Romain Testard 
Would it make sense to ship after Chrome to help ensure this does not lead
to churn?
Also at a time people try to find ways to work from home and share files
(spike of usage in Firefox send), potentially breaking ways people have to
share files may not be good timing?

On Thu, Mar 19, 2020 at 10:42 AM Frederik Braun  wrote:

> > We're doing this for security reasons. FTP is an insecure protocol and
> > there are no reasons to prefer it over HTTPS for downloading resources.
> > Also, a part of the FTP code is very old, unsafe and hard to maintain
> > and we found a lot of security bugs in it in the past.
>
> I know this used to be (is?) a widely used feature, but I can second
> these considerations. It's not right to waste smart network engineering
> time on decades old legacy code and it's likely even harder to justify a
> rewrite.
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2020-03-19 Thread Michal Novotny 
According to [1], it will be turned off for all users in 81. In 80 it 
will be turned off for 1% of users.


[1] 
https://docs.google.com/document/d/1JUra5HnsbR_xmtQctkb2iVxRPuhPWhMB5M_zpbuGxTY/edit#heading=h.a4pkgy626xf3



On 3/19/20 9:02 AM, Henri Sivonen wrote:

On Thu, Mar 19, 2020 at 2:24 AM Michal Novotny  wrote:

We plan to remove FTP protocol implementation from our code.


Chrome's status dashboard says "deprecated" and
https://textslashplain.com/2019/11/04/bye-ftp-support-is-going-away/
said the plan was to turn FTP off by default in version 80. Yet, I
just successfully loaded ftp://ftp.funet.fi in Chrome 80 on Mac and in
Edge 82 (Canary) on Windows 10, and I'm certain I haven't touched the
flag in either. (The location bar kept showing the ftp:// URL, so it
doesn't appear to be a case of automatically trying HTTP.)

Do we know why Chrome didn't proceed as planned? Do we know what their
current plan is?

Do we know if Edge intends to track Chrome on this feature or to make
an effort to patch a different outcome?



___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2020-03-19 Thread Frederik Braun 
> We're doing this for security reasons. FTP is an insecure protocol and
> there are no reasons to prefer it over HTTPS for downloading resources.
> Also, a part of the FTP code is very old, unsafe and hard to maintain
> and we found a lot of security bugs in it in the past. 

I know this used to be (is?) a widely used feature, but I can second
these considerations. It's not right to waste smart network engineering
time on decades old legacy code and it's likely even harder to justify a
rewrite.
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2020-03-19 Thread Frederik Braun 
AFAIU chrome removed all web-observable/web-exposed bits of FTP (e.g.,
navigations, subresources etc.)but still allows top-level navigations
from the user.


Am 19.03.20 um 09:02 schrieb Henri Sivonen:
> On Thu, Mar 19, 2020 at 2:24 AM Michal Novotny  
> wrote:
>> We plan to remove FTP protocol implementation from our code.
> 
> Chrome's status dashboard says "deprecated" and
> https://textslashplain.com/2019/11/04/bye-ftp-support-is-going-away/
> said the plan was to turn FTP off by default in version 80. Yet, I
> just successfully loaded ftp://ftp.funet.fi in Chrome 80 on Mac and in
> Edge 82 (Canary) on Windows 10, and I'm certain I haven't touched the
> flag in either. (The location bar kept showing the ftp:// URL, so it
> doesn't appear to be a case of automatically trying HTTP.)
> 
> Do we know why Chrome didn't proceed as planned? Do we know what their
> current plan is?
> 
> Do we know if Edge intends to track Chrome on this feature or to make
> an effort to patch a different outcome?
> 
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2020-03-19 Thread David Teller 
Out of curiosity, what external application? OS-specific?

On 19/03/2020 01:24, Michal Novotny wrote:
> We plan to remove FTP protocol implementation from our code. This work
> is tracked in bug 1574475 [1]. The plan is to
> 
> - place FTP behind a pref and turn it off by default on 77 [2]
> - keep FTP enabled by default on 78 ESR [3]
> - remove the code completely at the beginning of 2021
> 
> We're doing this for security reasons. FTP is an insecure protocol and
> there are no reasons to prefer it over HTTPS for downloading resources.
> Also, a part of the FTP code is very old, unsafe and hard to maintain
> and we found a lot of security bugs in it in the past. After disabling
> FTP in our code, the protocol will be handled by external application,
> so people can still use it to download resources if they really want to.
> However, it won't be possible to view and browse directory listings.
> 
> 
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1574475
> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1622409
> [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1622410
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2020-03-19 Thread Johann Hofmann 
Can you share some insight into the usage telemetry that was considered for
unshipping this?

On Thu, Mar 19, 2020 at 9:02 AM Henri Sivonen  wrote:

> On Thu, Mar 19, 2020 at 2:24 AM Michal Novotny 
> wrote:
> > We plan to remove FTP protocol implementation from our code.
>
> Chrome's status dashboard says "deprecated" and
> https://textslashplain.com/2019/11/04/bye-ftp-support-is-going-away/
> said the plan was to turn FTP off by default in version 80. Yet, I
> just successfully loaded ftp://ftp.funet.fi in Chrome 80 on Mac and in
> Edge 82 (Canary) on Windows 10, and I'm certain I haven't touched the
> flag in either. (The location bar kept showing the ftp:// URL, so it
> doesn't appear to be a case of automatically trying HTTP.)
>
> Do we know why Chrome didn't proceed as planned? Do we know what their
> current plan is?
>
> Do we know if Edge intends to track Chrome on this feature or to make
> an effort to patch a different outcome?
>
> --
> Henri Sivonen
> hsivo...@mozilla.com
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to unship: FTP protocol implementation

2020-03-19 Thread Henri Sivonen 
On Thu, Mar 19, 2020 at 2:24 AM Michal Novotny  wrote:
> We plan to remove FTP protocol implementation from our code.

Chrome's status dashboard says "deprecated" and
https://textslashplain.com/2019/11/04/bye-ftp-support-is-going-away/
said the plan was to turn FTP off by default in version 80. Yet, I
just successfully loaded ftp://ftp.funet.fi in Chrome 80 on Mac and in
Edge 82 (Canary) on Windows 10, and I'm certain I haven't touched the
flag in either. (The location bar kept showing the ftp:// URL, so it
doesn't appear to be a case of automatically trying HTTP.)

Do we know why Chrome didn't proceed as planned? Do we know what their
current plan is?

Do we know if Edge intends to track Chrome on this feature or to make
an effort to patch a different outcome?

-- 
Henri Sivonen
hsivo...@mozilla.com
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform