Announcement

Collapse
No announcement yet.

Firefox 88 Released With FTP Support Disabled, Support For JavaScript In PDFs

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Support For JavaScript In PDFs
    OMG, isn't this like a huge security issue? Any way to disable this?

    Comment


    • #12
      Support For JavaScript In PDFs
      Originally posted by Aryma View Post
      this is mistake and everyone will regret later
      A mistake is that PDF is just mimicking the properties of a physical paper - only adds a scaling/zoom feature, text search (usually without regular expressions because the general public has very little idea what a regular expression is) and can be digitally signed - not much beyond that.

      Computers are interactive in their very nature and can do more than just imitate the properties of physical paper.

      Comment


      • #13
        Originally posted by ihatemichael View Post

        OMG, isn't this like a huge security issue? Any way to disable this?
        Why would it be a security issue? The days of unsecure operating environments like MS-DOS are over.

        Comment


        • #14
          Originally posted by atomsymbol View Post

          Why would it be a security issue? The days of unsecure operating environments like MS-DOS are over.
          Haha.

          Comment


          • #15
            Originally posted by kpedersen View Post
            • I still use FTP a fair amount to get .iso images. HTTPS encryption seems very wastful for this.
            • I never want to run any Javascript in a PDF file.

            .... good to see the web and its priorities are on track!

            bunch of clowns.
            You're missing the obvious:
            • Using TLS means the server authority is verified and password authentication easy and secure
            • Encryption overheads are negligible on modern hardware
            • Why run another ancient server when your standard https server can already handle it?
            • You can effectively write an entire UI thanks to HTML5, much easier to use than the basic FTP support we've had for decades
            • FTP is a horrible hack from before NAT was a thing, its grossly outdated


            I do agree that Javascript in PDF seems a bad idea though.
            Last edited by Alex Atkin UK; 19 April 2021, 08:35 PM.

            Comment


            • #16
              Originally posted by CochainComplex View Post
              and yes missing ftp is a real bummer....is sftp not secure enough? or is it because on ftp repos you cant push advertisment and thats why google doesnt like it. Therefore in chrome it is removed. On top of it there comes the apple effect ...oh the cool guys removed the audiojack ...lets do this too (firefox no ftp - cool) ! Or what is the problem with FTP?
              Although I also don't like the idea of dropping FTP for the sake of dropping things, asking sftp also shows the complexity of FTP families is commonly underestimated...
              FileZilla's UI has a good taxonomy about it

              First we have SFTP, which is fundamentally SSH plus something, and I don't think Firefox supports SSH natively.
              Second we have a bunch of FTP variants, including
              1. Plan FTP
              2. Explicit TLS: Start with plain FTP, but enter TLS mode with "AUTH TLS"
              3. Implicit TLS: Start with TLS, and use plain FTP over it

              Furthermore the encoding problem is totally a mess on FTP. Some (mainly old ones on Windows) severs only support Local charset, Some (mainly Linux) only support UTF-8 because the "local" charset *is* UTF-8, some have to be enabled with "OPTS UTF8 ON". In addition to these, not all clients support UTF-8 so fixing your own server is not the end of the story.

              (I ran a personal FTP server for my local community more than a decade ago and hit all the problems above... I even had to put a bunch of directories starting with ! to tell users how to use this server correctly.)
              Last edited by zxy_thf; 19 April 2021, 02:19 PM.

              Comment


              • #17
                I don't open PDFs inside browsers and, unless they try to open it automatically, this will not affect me. Seems like a huge security disaster begging to be exploited.

                To people defending use of HTTP(S?), well, FTP used to give you creation time, modification time and other timestamp data. HTTP(S?)s? The bastards that create the pages mostly can't bother to pass these important data. I would prefer to drop Firefox usage, if I could.

                Comment


                • #18
                  disabling FTP for security reason and enabling JS inside PDF at the same time sounds completely inconsistent to me

                  Comment


                  • #19
                    The problem with ftp is that is a over complicated protocol when compared with plain http. It do have some interesting features, but today most clients and server don't even use them... how many people even know that ftp protocol allow one transfer a file between ftp servers, without using the user connection? even worse, most firewalls now simply block that. All ftp users cases can be replaced by plain http or even better, webdav (over http). http at least allow proper proxy, caching and filtering. Now replacing ftp with https is probably a little of waste for speed, but on the other and you gain security (specially if you send authentication) and privacy

                    Using webdav is way better than ftp, you can even mount remote webdav and use then as normal folders (RW or RO) , allmost all OS (modern windows, mac and linux) know how to use webdav like that.

                    So no, ftp in browser is really not needed anymore, people can still use filezilla or whatever ftp GUI client they want (or cli ftp), but lets hope that more servers finish the migration to plain http for public mirrors and https for private ones

                    While i agree that javascript in PDFs is a very bad idea, the problem is that already exists for several years and those PDFs already fail in firefox. Between being forced to use acrobat reader or the firefox PDF reader, i trust much more the firefox one. If they add a option to have that disabled by default, and ask user to allow only for that pdf if the pdf is from trusted sources, it is a win

                    Comment


                    • #20
                      Originally posted by atomsymbol View Post



                      A mistake is that PDF is just mimicking the properties of a physical paper - only adds a scaling/zoom feature, text search (usually without regular expressions because the general public has very little idea what a regular expression is) and can be digitally signed - not much beyond that.

                      Computers are interactive in their very nature and can do more than just imitate the properties of physical paper.
                      yes, computer can do much more than physical paper, but the purpose of PDF is just being a document.
                      Let it be a document, a plain and dumb document, please.

                      There are other means to make interactive contents.

                      Comment

                      Working...
                      X