No announcement yet.

Firefox 88 Released With FTP Support Disabled, Support For JavaScript In PDFs

  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Support For JavaScript In PDFs
    OMG, isn't this like a huge security issue? Any way to disable this?


    • #12
      Originally posted by atomsymbol

      Why would it be a security issue? The days of unsecure operating environments like MS-DOS are over.


      • #13
        Originally posted by kpedersen View Post
        • I still use FTP a fair amount to get .iso images. HTTPS encryption seems very wastful for this.
        • I never want to run any Javascript in a PDF file.

        .... good to see the web and its priorities are on track!

        bunch of clowns.
        You're missing the obvious:
        • Using TLS means the server authority is verified and password authentication easy and secure
        • Encryption overheads are negligible on modern hardware
        • Why run another ancient server when your standard https server can already handle it?
        • You can effectively write an entire UI thanks to HTML5, much easier to use than the basic FTP support we've had for decades
        • FTP is a horrible hack from before NAT was a thing, its grossly outdated

        I do agree that Javascript in PDF seems a bad idea though.
        Last edited by Alex Atkin UK; 19 April 2021, 08:35 PM.


        • #14
          Originally posted by CochainComplex View Post
          and yes missing ftp is a real sftp not secure enough? or is it because on ftp repos you cant push advertisment and thats why google doesnt like it. Therefore in chrome it is removed. On top of it there comes the apple effect ...oh the cool guys removed the audiojack ...lets do this too (firefox no ftp - cool) ! Or what is the problem with FTP?
          Although I also don't like the idea of dropping FTP for the sake of dropping things, asking sftp also shows the complexity of FTP families is commonly underestimated...
          FileZilla's UI has a good taxonomy about it

          First we have SFTP, which is fundamentally SSH plus something, and I don't think Firefox supports SSH natively.
          Second we have a bunch of FTP variants, including
          1. Plan FTP
          2. Explicit TLS: Start with plain FTP, but enter TLS mode with "AUTH TLS"
          3. Implicit TLS: Start with TLS, and use plain FTP over it

          Furthermore the encoding problem is totally a mess on FTP. Some (mainly old ones on Windows) severs only support Local charset, Some (mainly Linux) only support UTF-8 because the "local" charset *is* UTF-8, some have to be enabled with "OPTS UTF8 ON". In addition to these, not all clients support UTF-8 so fixing your own server is not the end of the story.

          (I ran a personal FTP server for my local community more than a decade ago and hit all the problems above... I even had to put a bunch of directories starting with ! to tell users how to use this server correctly.)
          Last edited by zxy_thf; 19 April 2021, 02:19 PM.


          • #15
            I don't open PDFs inside browsers and, unless they try to open it automatically, this will not affect me. Seems like a huge security disaster begging to be exploited.

            To people defending use of HTTP(S?), well, FTP used to give you creation time, modification time and other timestamp data. HTTP(S?)s? The bastards that create the pages mostly can't bother to pass these important data. I would prefer to drop Firefox usage, if I could.


            • #16
              disabling FTP for security reason and enabling JS inside PDF at the same time sounds completely inconsistent to me


              • #17
                The problem with ftp is that is a over complicated protocol when compared with plain http. It do have some interesting features, but today most clients and server don't even use them... how many people even know that ftp protocol allow one transfer a file between ftp servers, without using the user connection? even worse, most firewalls now simply block that. All ftp users cases can be replaced by plain http or even better, webdav (over http). http at least allow proper proxy, caching and filtering. Now replacing ftp with https is probably a little of waste for speed, but on the other and you gain security (specially if you send authentication) and privacy

                Using webdav is way better than ftp, you can even mount remote webdav and use then as normal folders (RW or RO) , allmost all OS (modern windows, mac and linux) know how to use webdav like that.

                So no, ftp in browser is really not needed anymore, people can still use filezilla or whatever ftp GUI client they want (or cli ftp), but lets hope that more servers finish the migration to plain http for public mirrors and https for private ones

                While i agree that javascript in PDFs is a very bad idea, the problem is that already exists for several years and those PDFs already fail in firefox. Between being forced to use acrobat reader or the firefox PDF reader, i trust much more the firefox one. If they add a option to have that disabled by default, and ask user to allow only for that pdf if the pdf is from trusted sources, it is a win


                • #18
                  Originally posted by atomsymbol

                  A mistake is that PDF is just mimicking the properties of a physical paper - only adds a scaling/zoom feature, text search (usually without regular expressions because the general public has very little idea what a regular expression is) and can be digitally signed - not much beyond that.

                  Computers are interactive in their very nature and can do more than just imitate the properties of physical paper.
                  yes, computer can do much more than physical paper, but the purpose of PDF is just being a document.
                  Let it be a document, a plain and dumb document, please.

                  There are other means to make interactive contents.


                  • #19
                    FTP support was already removed from Chrome. There's an industry-wide agreement to drop it from web browsers, because:
                    • Very few people actually use it
                    • Basic FTP is insecure
                    • Browsers never implemented secure FTP and adding that isn't trivial
                    • Users that need it will be better off with a dedicated FTP client anyway


                    • #20
                      Originally posted by franglais125 View Post
                      Re: embedded Javascript. Here is a similar request for evince/libpoppler

                      I was looking forward to something like this (for some simple animations I create with tikz, in latex).
                      On the other hand, I shudder at thinking of future malware taking advantage of this (if it manages to break out of the sandbox, obviously).

                      (Not trying to hijack the thread with gnome stuff, so please don't derail from here).
                      This is why I want PDF libraries to be written in Rust, and PDF applications to be sandboxed with technology such as seccomp, Flatpak and Snap.

                      Originally posted by kpedersen View Post
                      • I still use FTP a fair amount to get .iso images. HTTPS encryption seems very wastful for this.
                      • I never want to run any Javascript in a PDF file.

                      .... good to see the web and its priorities are on track!

                      bunch of clowns.
                      It is great that they removed FTP support, it is a terrible protocol and HTTPS is much better. I think the overhead of encryption should be low, everyone has high-speed internet anyways. For large files you can use BitTorrent instead.

                      Originally posted by rockiron View Post
                      Why they are removing support for FTP????

                      What's wrong with FTP????

                      The fact that Dropbox doesn't support FTP means that Dropbox should support it, not that we should drop it
                      FTP is a terrible protocol on so many levels. It uses multiple ports, a connection for commands and a separate for data, it expects the server to connect to the client, so it is a nightmare for firewalls and sysadmins hate it. It by default sends in ASCII, and other modes are EBCDIC for mainframes from the 60s, it is very legacy. Different servers often act different and have non-standard extensions and clients often have to sniff which server it is and act accordingly.

                      Originally posted by kylew77 View Post
                      I agree, it is stupid to drop FTP support just like it was stupid to drop gopher support and not add gemini support. These extra protocols shouldn't take up much code and its not like it is hurting anyone to keep them all enabled!
                      FTP is a really ugly protocol with servers that extend it in non-standard ways so clients often have to sniff which server it is connected to and adjust itself to act differently depending on the server software. Removing it is good, it is less code to maintain, easier for developers, less places for vulnerabilities. Good that they removed FTP support. Maybe you can write an extension to support Gemini.