Announcement

Collapse
No announcement yet.

Firefox 88 Released With FTP Support Disabled, Support For JavaScript In PDFs

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by bosjc View Post
    So when does WebRenderer finally get turned on for all GPUs in Linux?
    According to this website: https://9to5linux.com/firefox-88-is-...ntel-amd-users the ball has been moved down the field in that direction.

    Firefox 88 Is Now Available for Download, Enables WebRender for KDE/Xfce Intel/AMD Users

    While it still doesn’t enable AVIF image format support by default, despite the fact that the beta version shipped with AVIF enabled by default, Firefox 88 promises to enable the WebRender feature by default for users using the KDE Plasma and Xfce desktop environments on Intel/AMD machines.
    But I can neither confirm nor deny these allegations.
    Last edited by ezst036; 19 April 2021, 05:19 PM.

    Comment


    • #32
      Looks like there's a pdfjs.enableScripting option in about:config (it's enabled by default).

      Is there a good way to test that disabling it does actually work?
      Last edited by ihatemichael; 19 April 2021, 05:27 PM.

      Comment


      • #33
        Originally posted by kpedersen View Post
        Haha.
        Originally posted by Brane215 View Post
        You are either intentionally misleading or clueless.
        Are you aware that you (and everybody else) are running - on your machine locally - hundreds of thousands of lines of Javascript code in a sandbox VM every day when using the Internet? Javascript in PDF is also running in a sandbox VM.

        If a scientist publishes an article then Javascript in PDF will enable you - a 21st century reader - to play with various scenarios enabling you to grasp the content of the article more quickly and more profoundly. You can of course freely choose to remain a 20th century reader by disabling Javascript in all PDFs. Of course, it might take several decades for scientific articles to begin making a good use of interactivity in PDFs.

        Comment


        • #34
          If Blockbuster had only figured out how to distribute movies in PDF format, maybe they would still be around.

          I think the complaint here is about scope. There is value in a simple immutable preview=print document format and unless a better (ubiquitous) standard comes along for that, then this feature creep cuts directly into that value.

          Comment


          • #35
            Originally posted by atomsymbol View Post
            Are you aware that you (and everybody else) are running - on your machine locally - hundreds of thousands of lines of Javascript code in a sandbox VM every day when using the Internet? Javascript in PDF is also running in a sandbox VM.
            You trust the sandbox doesn't have flaws? C'mon.

            I run my web browser in a FreeBSD Jail because they are known to have security issues. Heck, just look at the amount of work the OpenBSD project has put in to adding pledge(2) and unveil(2) into Chromium and Firefox.

            I tend to not run my PDFs in a Jail because they are less likely to have security flaws (they still do have some, injecting shellcode into PDF has been done in the past). Unless I can turn off Javascript, I will likely now run the PDF viewer in a jail because it opens up a whole (pointless) can of mess.

            Microsoft Office MACROS run in a VB6 VM. That VM did little to provide a whole species of virus.
            Last edited by kpedersen; 19 April 2021, 05:53 PM.

            Comment


            • #36
              Originally posted by kpedersen View Post
              • I still use FTP a fair amount to get .iso images. HTTPS encryption seems very wastful for this.
              sudo apt-get install aria2; aria2c https://www.whatever.com/path/to/distro-iso.torrent

              You'll get hash verification and automatic retry/resume if a chunk fails hash checks or a connection breaks.

              (aria2c is like wget but with BitTorrent and Metalink support,multi-connection download accelerator support for HTTP/HTTPS, and it supports web seeding so, if the torrent lists the HTTP or HTTPS URLs as web seeds, then you get whatever download speed they give you plus whatever you can get from the torrent swarm.)

              Of course, let it download the .torrent file over HTTPS so it can catch attempts to MITM the definition of which hashes are correct.

              Comment


              • #37
                Originally posted by acobar View Post
                I would prefer to drop Firefox usage, if I could.
                Firefox is just following a change Google made a while ago to Chrome and anything which just repackages Chromium's protocol support... which is something like 90% of users now. FTP was already dead.

                I think I remember Google's rationale being that even Passive FTP is too much of a mess to bend over backward to support in a world with things like Carrier Grade NAT for IPv4... something I agree with as someone who's set up BSD-based firewalls in the past.

                I think we should just stop holding back WebDAV server support to things like Apache when there's a WebDAV client in every major file manager and, to anything short of an MITMing proxy, TLS-protected WebDAV is indistinguishable from ordinary HTTPS because it's just HTTP with some new methods (new friends for GET, PUT, POST, etc.) for things like getting directory listings, file attributes, and revision histories, and clearly defined rules for how to achieve which modification using which verbs.

                Do WebDAV clients support HTTP/2 yet? I remember hearing that has opportunistic encryption so you can use an HTTP URL and have the server upgrade to an encrypted but not authenticated connection without needing a CA cert to help make NSA-style large-scale passive surveillance unfeasible.
                Last edited by ssokolow; 19 April 2021, 06:19 PM.

                Comment


                • #38
                  Originally posted by kpedersen View Post

                  You trust the sandbox doesn't have flaws? C'mon.

                  I run my web browser in a FreeBSD Jail because they are known to have security issues. Heck, just look at the amount of work the OpenBSD project has put in to adding pledge(2) and unveil(2) into Chromium and Firefox.

                  I tend to not run my PDFs in a Jail because they are less likely to have security flaws (they still do have some, injecting shellcode into PDF has been done in the past). Unless I can turn off Javascript, I will likely now run the PDF viewer in a jail because it opens up a whole (pointless) can of mess.

                  Microsoft Office MACROS run in a VB6 VM. That VM did little to provide a whole species of virus.
                  Technically, you should have been doing that all along, because Postscript is a Turing-complete language and there have been privilege escalation vulnerabilities in the Ghostscript, Poppler, xpdf, etc. sandboxes before.

                  Comment


                  • #39
                    FTP is, in some respect, like Gopher, Telnet, or Gemini: so much better on the CLI!

                    Comment


                    • #40
                      Originally posted by atomsymbol View Post
                      Are you aware that you (and everybody else) are running - on your machine locally - hundreds of thousands of lines of Javascript code in a sandbox VM every day when using the Internet? Javascript in PDF is also running in a sandbox VM.

                      If a scientist publishes an article then Javascript in PDF will enable you - a 21st century reader - to play with various scenarios enabling you to grasp the content of the article more quickly and more profoundly. You can of course freely choose to remain a 20th century reader by disabling Javascript in all PDFs. Of course, it might take several decades for scientific articles to begin making a good use of interactivity in PDFs.
                      I'm not particularly concerned about pdfs running js in my browser, because that app is hardened and tested to make sure its security works.

                      I think putting a js engine in every random pdf viewer out there is a recipe for failure, because pdfs are already very complicated, are frequently used as attack vectors, and I don't believe that most pdf app developers are particularly well versed in writing secure javascript execution environments. That cats been out of the bag for a while already, though.

                      Comment

                      Working...
                      X