Announcement

Collapse
No announcement yet.

Firefox 88 Released With FTP Support Disabled, Support For JavaScript In PDFs

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    Originally posted by rockiron View Post
    Why they are removing support for FTP????

    What's wrong with FTP????

    The fact that Dropbox doesn't support FTP means that Dropbox should support it, not that we should drop it
    While ftp looks easy, it is a complex protocol, it needs 2 connections, one is the command, outgoing from the client, and one data transfer incoming from the server (active mode). Yes, incoming connection from the server to your machine. That is a firewall nightmare. As this fails a lot, they added the passive mode, where the client opens a second connection to the server for the transfer mode. But that also have some problems with firewalls and servers, how to make sure the incoming connection is from the allowed user and not from some hacker? there is a potential DoS also for this feature. Now add the utf-8 support or lack of, ipv6, plain text passwords, multiple encryption extensions, with no clear winner, almost no one supports anymore server to server transfers, basically ftp is a really pain, that is invisible because many people worked hard to have workarounds for most problems and hide then from users. But the true is that ftp still fails for many people, specially in corporate, where firewall are more restrictive.

    All this problems and we have a alternative protocol that is much simpler and with wider support. http and https can transfer files directly and both can be extended to use webdav, that will give you all the ftp features (except server to server transfer) without any of the problems. Webdav is used in many places, but many times are hidden behind web interfaces or apps

    Comment


    • #22
      Originally posted by ihatemichael View Post

      OMG, isn't this like a huge security issue? Any way to disable this?
      Maybe with the NoScript extension for Firefox.

      Originally posted by zxy_thf View Post
      Although I also don't like the idea of dropping FTP for the sake of dropping things, asking sftp also shows the complexity of FTP families is commonly underestimated...
      FileZilla's UI has a good taxonomy about it

      First we have SFTP, which is fundamentally SSH plus something, and I don't think Firefox supports SSH natively.
      Second we have a bunch of FTP variants, including
      1. Plan FTP
      2. Explicit TLS: Start with plain FTP, but enter TLS mode with "AUTH TLS"
      3. Implicit TLS: Start with TLS, and use plain FTP over it

      Furthermore the encoding problem is totally a mess on FTP. Some (mainly old ones on Windows) severs only support Local charset, Some (mainly Linux) only support UTF-8 because the "local" charset *is* UTF-8, some have to be enabled with "OPTS UTF8 ON". In addition to these, not all clients support UTF-8 so fixing your own server is not the end of the story.

      (I ran a personal FTP server for my local community more than a decade ago and hit all the problems above... I even had to put a bunch of directories starting with ! to tell users how to use this server correctly.)
      It is worse than that, it by default uses ASCII, it has this legacy EBCDIC things. Many servers have proprietary non-standard protocol extensions so clients often have to sniff which server it is, and have code for each server.

      Originally posted by acobar View Post
      I don't open PDFs inside browsers and, unless they try to open it automatically, this will not affect me. Seems like a huge security disaster begging to be exploited.

      To people defending use of HTTP(S?), well, FTP used to give you creation time, modification time and other timestamp data. HTTP(S?)s? The bastards that create the pages mostly can't bother to pass these important data. I would prefer to drop Firefox usage, if I could.
      The JavaScript thing doesn't really make it any less secure since the browser already executes JavaScript on webpages. The thing that renders the PDF is the JavaScript library pdf.js, so it is all JavaScript anyways.

      Mostly creation time and modification time is irrelevant, if you care about that stuff you can use archives like .zip, .7z, .tar.gz, .tar.xz, etc.


      Originally posted by cynic View Post
      disabling FTP for security reason and enabling JS inside PDF at the same time sounds completely inconsistent to me
      The JavaScript thing doesn't really make it any less secure since the browser already executes JavaScript on webpages. The thing that renders the PDF is the JavaScript library pdf.js, so it is all JavaScript anyways.

      Comment


      • #23
        Originally posted by rockiron View Post
        Why they are removing support for FTP????

        What's wrong with FTP????

        The fact that Dropbox doesn't support FTP means that Dropbox should support it, not that we should drop it
        There is a fair bit that is wrong with FTP. The inane binary/ascii distinction, the active mode or a RFC that is full of MAY and SHOULD, to name but a few.

        Anyway, what is the point of it today when we have webdav, why would you want to use it?

        Comment


        • #24
          Originally posted by atomsymbol

          Why would it be a security issue? The days of unsecure operating environments like MS-DOS are over.
          You are either intentionally misleading or clueless.

          Comment


          • #25
            Does anyone know the relation between the X11 and EGL in firefox?
            For example, is gfx.x11-egl.force-enabled possible on wayland?

            Comment


            • #26
              It doesn't actually matter if a browser has FTP or not. There are dedicated FTP applications lol. I never understood why web browsers integrated it in the first place. Its never been my way of using FTP. FileZilla is free and blows the browser away.

              Webdav is webdav. FTP is FTP. They are both a means to the same end. I don't know what that point of that comment is really. Webdav will have its own problems. Use whatever is acceptable for your use.
              Last edited by ix900; 19 April 2021, 04:08 PM.

              Comment


              • #27
                Originally posted by mppix View Post
                Does anyone know the relation between the X11 and EGL in firefox?
                For example, is gfx.x11-egl.force-enabled possible on wayland?
                Wayland always uses EGL already.

                Comment


                • #28
                  Originally posted by ix900 View Post
                  It doesn't actually matter if a browser has FTP or not. There are dedicated FTP applications lol. I never understood why web browsers integrated it in the first place. Its never been my way of using FTP. FileZilla is free and blows the browser away.

                  Webdav is webdav. FTP is FTP. They are both a means to the same end. I don't know what that point of that comment is really. Webdav will have its own problems. Use whatever is acceptable for your use.
                  I tend to agree. A web browsers should not integrate a FTP client. However I have also point out that HTTP(S) is not a replacement for FTP. FTP has different uses case. E.g. you can easily view the content of a folders. It allow to upload and to download files.... Of course it was developed in another era, and so FTP is an insecure protocol for the today standards.

                  I can't comment webdav because I used it in the past only few times.

                  Anyway sftp is a better solution than ftp.

                  Comment


                  • #29
                    Originally posted by bosjc View Post
                    So when does WebRenderer finally get turned on for all GPUs in Linux?
                    According to this website: https://9to5linux.com/firefox-88-is-...ntel-amd-users the ball has been moved down the field in that direction.

                    Firefox 88 Is Now Available for Download, Enables WebRender for KDE/Xfce Intel/AMD Users

                    While it still doesn’t enable AVIF image format support by default, despite the fact that the beta version shipped with AVIF enabled by default, Firefox 88 promises to enable the WebRender feature by default for users using the KDE Plasma and Xfce desktop environments on Intel/AMD machines.
                    But I can neither confirm nor deny these allegations.
                    Last edited by ezst036; 19 April 2021, 05:19 PM.

                    Comment


                    • #30
                      Looks like there's a pdfjs.enableScripting option in about:config (it's enabled by default).

                      Is there a good way to test that disabling it does actually work?
                      Last edited by ihatemichael; 19 April 2021, 05:27 PM.

                      Comment

                      Working...
                      X