OMG, isn't this like a huge security issue? Any way to disable this?

Haha.

You're missing the obvious:

• Using TLS means the server authority is verified and password authentication easy and secure
• Encryption overheads are negligible on modern hardware
• Why run another ancient server when your standard https server can already handle it?
• You can effectively write an entire UI thanks to HTML5, much easier to use than the basic FTP support we've had for decades
• FTP is a horrible hack from before NAT was a thing, its grossly outdated

I do agree that Javascript in PDF seems a bad idea though.

Although I also don't like the idea of dropping FTP for the sake of dropping things, asking sftp also shows the complexity of FTP families is commonly underestimated...
FileZilla's UI has a good taxonomy about it

First we have SFTP, which is fundamentally SSH plus something, and I don't think Firefox supports SSH natively.
Second we have a bunch of FTP variants, including
1. Plan FTP
2. Explicit TLS: Start with plain FTP, but enter TLS mode with "AUTH TLS"
3. Implicit TLS: Start with TLS, and use plain FTP over it

Furthermore the encoding problem is totally a mess on FTP. Some (mainly old ones on Windows) severs only support Local charset, Some (mainly Linux) only support UTF-8 because the "local" charset *is* UTF-8, some have to be enabled with "OPTS UTF8 ON". In addition to these, not all clients support UTF-8 so fixing your own server is not the end of the story.

(I ran a personal FTP server for my local community more than a decade ago and hit all the problems above... I even had to put a bunch of directories starting with ! to tell users how to use this server correctly.)

I don't open PDFs inside browsers and, unless they try to open it automatically, this will not affect me. Seems like a huge security disaster begging to be exploited.

To people defending use of HTTP(S?), well, FTP used to give you creation time, modification time and other timestamp data. HTTP(S?)s? The bastards that create the pages mostly can't bother to pass these important data. I would prefer to drop Firefox usage, if I could.

disabling FTP for security reason and enabling JS inside PDF at the same time sounds completely inconsistent to me

The problem with ftp is that is a over complicated protocol when compared with plain http. It do have some interesting features, but today most clients and server don't even use them... how many people even know that ftp protocol allow one transfer a file between ftp servers, without using the user connection? even worse, most firewalls now simply block that. All ftp users cases can be replaced by plain http or even better, webdav (over http). http at least allow proper proxy, caching and filtering. Now replacing ftp with https is probably a little of waste for speed, but on the other and you gain security (specially if you send authentication) and privacy

Using webdav is way better than ftp, you can even mount remote webdav and use then as normal folders (RW or RO) , allmost all OS (modern windows, mac and linux) know how to use webdav like that.

So no, ftp in browser is really not needed anymore, people can still use filezilla or whatever ftp GUI client they want (or cli ftp), but lets hope that more servers finish the migration to plain http for public mirrors and https for private ones

While i agree that javascript in PDFs is a very bad idea, the problem is that already exists for several years and those PDFs already fail in firefox. Between being forced to use acrobat reader or the firefox PDF reader, i trust much more the firefox one. If they add a option to have that disabled by default, and ask user to allow only for that pdf if the pdf is from trusted sources, it is a win

yes, computer can do much more than physical paper, but the purpose of PDF is just being a document.
Let it be a document, a plain and dumb document, please.

There are other means to make interactive contents.

FTP support was already removed from Chrome. There's an industry-wide agreement to drop it from web browsers, because:

• Very few people actually use it
• Basic FTP is insecure
• Browsers never implemented secure FTP and adding that isn't trivial
• Users that need it will be better off with a dedicated FTP client anyway

This is why I want PDF libraries to be written in Rust, and PDF applications to be sandboxed with technology such as seccomp, Flatpak and Snap.

It is great that they removed FTP support, it is a terrible protocol and HTTPS is much better. I think the overhead of encryption should be low, everyone has high-speed internet anyways. For large files you can use BitTorrent instead.

FTP is a terrible protocol on so many levels. It uses multiple ports, a connection for commands and a separate for data, it expects the server to connect to the client, so it is a nightmare for firewalls and sysadmins hate it. It by default sends in ASCII, and other modes are EBCDIC for mainframes from the 60s, it is very legacy. Different servers often act different and have non-standard extensions and clients often have to sniff which server it is and act accordingly.

FTP is a really ugly protocol with servers that extend it in non-standard ways so clients often have to sniff which server it is connected to and adjust itself to act differently depending on the server software. Removing it is good, it is less code to maintain, easier for developers, less places for vulnerabilities. Good that they removed FTP support. Maybe you can write an extension to support Gemini.