Announcement

Collapse
No announcement yet.

Firefox 88 Released With FTP Support Disabled, Support For JavaScript In PDFs

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    FTP support was already removed from Chrome. There's an industry-wide agreement to drop it from web browsers, because:
    • Very few people actually use it
    • Basic FTP is insecure
    • Browsers never implemented secure FTP and adding that isn't trivial
    • Users that need it will be better off with a dedicated FTP client anyway

    Comment


    • #22
      Originally posted by franglais125 View Post
      Re: embedded Javascript. Here is a similar request for evince/libpoppler https://gitlab.gnome.org/GNOME/evince/-/issues/24

      I was looking forward to something like this (for some simple animations I create with tikz, in latex).
      On the other hand, I shudder at thinking of future malware taking advantage of this (if it manages to break out of the sandbox, obviously).

      (Not trying to hijack the thread with gnome stuff, so please don't derail from here).
      This is why I want PDF libraries to be written in Rust, and PDF applications to be sandboxed with technology such as seccomp, Flatpak and Snap.

      Originally posted by kpedersen View Post
      • I still use FTP a fair amount to get .iso images. HTTPS encryption seems very wastful for this.
      • I never want to run any Javascript in a PDF file.

      .... good to see the web and its priorities are on track!

      bunch of clowns.
      It is great that they removed FTP support, it is a terrible protocol and HTTPS is much better. I think the overhead of encryption should be low, everyone has high-speed internet anyways. For large files you can use BitTorrent instead.

      Originally posted by rockiron View Post
      Why they are removing support for FTP????

      What's wrong with FTP????

      The fact that Dropbox doesn't support FTP means that Dropbox should support it, not that we should drop it
      FTP is a terrible protocol on so many levels. It uses multiple ports, a connection for commands and a separate for data, it expects the server to connect to the client, so it is a nightmare for firewalls and sysadmins hate it. It by default sends in ASCII, and other modes are EBCDIC for mainframes from the 60s, it is very legacy. Different servers often act different and have non-standard extensions and clients often have to sniff which server it is and act accordingly.

      Originally posted by kylew77 View Post
      I agree, it is stupid to drop FTP support just like it was stupid to drop gopher support and not add gemini support. These extra protocols shouldn't take up much code and its not like it is hurting anyone to keep them all enabled!
      FTP is a really ugly protocol with servers that extend it in non-standard ways so clients often have to sniff which server it is connected to and adjust itself to act differently depending on the server software. Removing it is good, it is less code to maintain, easier for developers, less places for vulnerabilities. Good that they removed FTP support. Maybe you can write an extension to support Gemini.

      Comment


      • #23
        Originally posted by rockiron View Post
        Why they are removing support for FTP????

        What's wrong with FTP????

        The fact that Dropbox doesn't support FTP means that Dropbox should support it, not that we should drop it
        While ftp looks easy, it is a complex protocol, it needs 2 connections, one is the command, outgoing from the client, and one data transfer incoming from the server (active mode). Yes, incoming connection from the server to your machine. That is a firewall nightmare. As this fails a lot, they added the passive mode, where the client opens a second connection to the server for the transfer mode. But that also have some problems with firewalls and servers, how to make sure the incoming connection is from the allowed user and not from some hacker? there is a potential DoS also for this feature. Now add the utf-8 support or lack of, ipv6, plain text passwords, multiple encryption extensions, with no clear winner, almost no one supports anymore server to server transfers, basically ftp is a really pain, that is invisible because many people worked hard to have workarounds for most problems and hide then from users. But the true is that ftp still fails for many people, specially in corporate, where firewall are more restrictive.

        All this problems and we have a alternative protocol that is much simpler and with wider support. http and https can transfer files directly and both can be extended to use webdav, that will give you all the ftp features (except server to server transfer) without any of the problems. Webdav is used in many places, but many times are hidden behind web interfaces or apps

        Comment


        • #24
          Originally posted by ihatemichael View Post

          OMG, isn't this like a huge security issue? Any way to disable this?
          Maybe with the NoScript extension for Firefox.

          Originally posted by zxy_thf View Post
          Although I also don't like the idea of dropping FTP for the sake of dropping things, asking sftp also shows the complexity of FTP families is commonly underestimated...
          FileZilla's UI has a good taxonomy about it

          First we have SFTP, which is fundamentally SSH plus something, and I don't think Firefox supports SSH natively.
          Second we have a bunch of FTP variants, including
          1. Plan FTP
          2. Explicit TLS: Start with plain FTP, but enter TLS mode with "AUTH TLS"
          3. Implicit TLS: Start with TLS, and use plain FTP over it

          Furthermore the encoding problem is totally a mess on FTP. Some (mainly old ones on Windows) severs only support Local charset, Some (mainly Linux) only support UTF-8 because the "local" charset *is* UTF-8, some have to be enabled with "OPTS UTF8 ON". In addition to these, not all clients support UTF-8 so fixing your own server is not the end of the story.

          (I ran a personal FTP server for my local community more than a decade ago and hit all the problems above... I even had to put a bunch of directories starting with ! to tell users how to use this server correctly.)
          It is worse than that, it by default uses ASCII, it has this legacy EBCDIC things. Many servers have proprietary non-standard protocol extensions so clients often have to sniff which server it is, and have code for each server.

          Originally posted by acobar View Post
          I don't open PDFs inside browsers and, unless they try to open it automatically, this will not affect me. Seems like a huge security disaster begging to be exploited.

          To people defending use of HTTP(S?), well, FTP used to give you creation time, modification time and other timestamp data. HTTP(S?)s? The bastards that create the pages mostly can't bother to pass these important data. I would prefer to drop Firefox usage, if I could.
          The JavaScript thing doesn't really make it any less secure since the browser already executes JavaScript on webpages. The thing that renders the PDF is the JavaScript library pdf.js, so it is all JavaScript anyways.

          Mostly creation time and modification time is irrelevant, if you care about that stuff you can use archives like .zip, .7z, .tar.gz, .tar.xz, etc.


          Originally posted by cynic View Post
          disabling FTP for security reason and enabling JS inside PDF at the same time sounds completely inconsistent to me
          The JavaScript thing doesn't really make it any less secure since the browser already executes JavaScript on webpages. The thing that renders the PDF is the JavaScript library pdf.js, so it is all JavaScript anyways.

          Comment


          • #25
            Originally posted by rockiron View Post
            Why they are removing support for FTP????

            What's wrong with FTP????

            The fact that Dropbox doesn't support FTP means that Dropbox should support it, not that we should drop it
            There is a fair bit that is wrong with FTP. The inane binary/ascii distinction, the active mode or a RFC that is full of MAY and SHOULD, to name but a few.

            Anyway, what is the point of it today when we have webdav, why would you want to use it?

            Comment


            • #26
              Originally posted by atomsymbol View Post

              Why would it be a security issue? The days of unsecure operating environments like MS-DOS are over.
              You are either intentionally misleading or clueless.

              Comment


              • #27
                Does anyone know the relation between the X11 and EGL in firefox?
                For example, is gfx.x11-egl.force-enabled possible on wayland?

                Comment


                • #28
                  It doesn't actually matter if a browser has FTP or not. There are dedicated FTP applications lol. I never understood why web browsers integrated it in the first place. Its never been my way of using FTP. FileZilla is free and blows the browser away.

                  Webdav is webdav. FTP is FTP. They are both a means to the same end. I don't know what that point of that comment is really. Webdav will have its own problems. Use whatever is acceptable for your use.
                  Last edited by ix900; 19 April 2021, 04:08 PM.

                  Comment


                  • #29
                    Originally posted by mppix View Post
                    Does anyone know the relation between the X11 and EGL in firefox?
                    For example, is gfx.x11-egl.force-enabled possible on wayland?
                    Wayland always uses EGL already.

                    Comment


                    • #30
                      Originally posted by ix900 View Post
                      It doesn't actually matter if a browser has FTP or not. There are dedicated FTP applications lol. I never understood why web browsers integrated it in the first place. Its never been my way of using FTP. FileZilla is free and blows the browser away.

                      Webdav is webdav. FTP is FTP. They are both a means to the same end. I don't know what that point of that comment is really. Webdav will have its own problems. Use whatever is acceptable for your use.
                      I tend to agree. A web browsers should not integrate a FTP client. However I have also point out that HTTP(S) is not a replacement for FTP. FTP has different uses case. E.g. you can easily view the content of a folders. It allow to upload and to download files.... Of course it was developed in another era, and so FTP is an insecure protocol for the today standards.

                      I can't comment webdav because I used it in the past only few times.

                      Anyway sftp is a better solution than ftp.

                      Comment

                      Working...
                      X