在 2017/2/14 0:24, Ehsan Akhgari 写道:
On 2017-02-10 7:51 PM, 段垚 wrote:
在 2017/2/11 2:26, t...@ritter.vg 写道:
On Friday, 10 February 2017 08:32:27 UTC-6, Benjamin Smedberg wrote:
I thought I enumerated the harm at first, but I'll elaborate a little.
1) Flash doesn't know about and breaks our "current and subdirectory
only"
file: origin policy.
2) Flash is a high-risk attack surface: if you can get somebody to
download
a SWF they can probably own your system. We don't have anyone testing or
defending this effectively.
So we believe that there is significant harm in the current
situation, and
very little upside.
I think #1 is sufficient to remove this behavior, even ignoring #2. A
malicious flash applet open opened from file:// can read the user's
profile, take all their saved passwords, cookies, etc and steal data,
masquerade as them, and perform all manner of malicious activity.
I agree that this is a problem, but I disagree that Firefox must remove
this behavior now.
* This behavior has existed for decades in all desktop browsers, and the
usage of Flash is declining, which means the threaten is also declining.
That is not true. It is public knowledge that Flash exploits are traded
as a commodity these days:
<https://www.wired.com/2015/07/hacking-team-leak-shows-secretive-zero-day-exploit-sales-work/>.
I guess all popular softwares have exploits being traded. How this fact
invalidates my argument?
Also I think forbidding non-http(s) Flash does not fix thoses exploits
magically.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
