On 2017-02-10 7:51 PM, 段垚 wrote: > > > 在 2017/2/11 2:26, t...@ritter.vg 写道: >> On Friday, 10 February 2017 08:32:27 UTC-6, Benjamin Smedberg wrote: >>> I thought I enumerated the harm at first, but I'll elaborate a little. >>> >>> 1) Flash doesn't know about and breaks our "current and subdirectory >>> only" >>> file: origin policy. >>> >>> 2) Flash is a high-risk attack surface: if you can get somebody to >>> download >>> a SWF they can probably own your system. We don't have anyone testing or >>> defending this effectively. >>> >>> So we believe that there is significant harm in the current >>> situation, and >>> very little upside. >> I think #1 is sufficient to remove this behavior, even ignoring #2. A >> malicious flash applet open opened from file:// can read the user's >> profile, take all their saved passwords, cookies, etc and steal data, >> masquerade as them, and perform all manner of malicious activity. > > I agree that this is a problem, but I disagree that Firefox must remove > this behavior now. > > * This behavior has existed for decades in all desktop browsers, and the > usage of Flash is declining, which means the threaten is also declining.
That is not true. It is public knowledge that Flash exploits are traded as a commodity these days: <https://www.wired.com/2015/07/hacking-team-leak-shows-secretive-zero-day-exploit-sales-work/>. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
