info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to implement and ship: Blocking FTP subresources
212 views
Skip to first unread message
Tom Schuster
Apr 9, 2018, 11:39:36 AM4/9/18
to dev-platform
Summary: All FTP subresources in HTTPs pages (this also includes blob:
etc) will be blocked. Opening FTP links as toplevel documents is still
possible.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1404744
Platform coverage: All
Target release: Firefox 61 (this already landed, but we forgot to send
this, sorry!)
Preference behind which this will be implemented: None
Is this feature enabled by default in sandboxed iframes: Yes, enabled everywhere
DevTools bug: None
Do other browser engines implement this?
Chrome shipped in M62?
web-platform-tests: No
Secure contexts: n/a
etc) will be blocked. Opening FTP links as toplevel documents is still
possible.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1404744
Platform coverage: All
Target release: Firefox 61 (this already landed, but we forgot to send
this, sorry!)
Preference behind which this will be implemented: None
Is this feature enabled by default in sandboxed iframes: Yes, enabled everywhere
DevTools bug: None
Do other browser engines implement this?
Chrome shipped in M62?
web-platform-tests: No
Secure contexts: n/a
Tom Schuster
Apr 9, 2018, 3:19:07 PM4/9/18
to Patrick McManus, dev-platform
Good idea. Opened a bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1452701
At least in the Chrome bug somebody was complaining that web cam page
was broken by this change. Seems like the reloading image was embedded
over FTP.
On Mon, Apr 9, 2018 at 5:54 PM, Patrick McManus <mcm...@ducksong.com> wrote:
> imo, you really need to add a pref to cover this (I'm not saying make it
> opt-in, just preffable.). It will break something somewhere and at least you
> can tell that poor person they can have compat back via config.
>
> It also has a very small possibility of breaking enterprises or something we
> would discover late, and we would want to be able to push a pref to fix
> that.
>> _______________________________________________
>> dev-platform mailing list
>> dev-pl...@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-platform
>>
>
At least in the Chrome bug somebody was complaining that web cam page
was broken by this change. Seems like the reloading image was embedded
over FTP.
On Mon, Apr 9, 2018 at 5:54 PM, Patrick McManus <mcm...@ducksong.com> wrote:
> imo, you really need to add a pref to cover this (I'm not saying make it
> opt-in, just preffable.). It will break something somewhere and at least you
> can tell that poor person they can have compat back via config.
>
> It also has a very small possibility of breaking enterprises or something we
> would discover late, and we would want to be able to push a pref to fix
> that.
>> dev-platform mailing list
>> dev-pl...@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-platform
>>
>
Patrick McManus
Apr 9, 2018, 3:19:07 PM4/9/18
to Tom Schuster, dev-platform
Frederik Braun
Apr 10, 2018, 4:17:58 AM4/10/18
to dev-pl...@lists.mozilla.org
On 09.04.2018 15:13, Tom Schuster wrote:
> Summary: All FTP subresources in HTTPs pages (this also includes blob:
> etc) will be blocked. Opening FTP links as toplevel documents is still
> possible.
>
> Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1404744
>
> Platform coverage: All
> Target release: Firefox 61 (this already landed, but we forgot to send
> this, sorry!)
> Preference behind which this will be implemented: None
> Is this feature enabled by default in sandboxed iframes: Yes, enabled everywhere
> DevTools bug: None
If you try loading an FTP url in an iframe, we show the following
warning in the DevTools:
Loading FTP subresource within http(s) page not allowed (Blocked loading
of: “ftp://evil.com/”)
0 new messages