Hello,
jar: is an internal protocol that enables loading resources from inside
a jar/zip file . Firefox is the only browser I'm aware of that supports it.
In Firefox 55, due to security concerns, we put using jar: with remote
content (ie loaded over http(s), ftp - anything apart from file://,
really) behind a hidden (ie about:config) preference that is disabled by
default (
https://www.fxsitecompat.com/en-CA/docs/2015/jar-protocol-support-has-been-disabled-by-default/
;
https://developer.mozilla.org/en-US/docs/Mozilla/Security/Security_and_the_jar_protocol
; https://bugzilla.mozilla.org/show_bug.cgi?id=1329336 ).
I would like to unship the preference in Firefox 60 and completely
remove support.
When the code was originally written for Firefox 45, 2 years ago, IBM
Notes broke. That was fixed in Notes/Domino 9.0.1 (
http://www.ibm.com/support/docview.wss?uid=swg21978919 ) in May 2016, so
a good 2 and a bit years before 60 will ship. To my knowledge we are not
aware of any other breakage on the (semi-)public web since then. We also
successfully shipped this default-disabled back in August with 55, and
it'll have been 1 year since then before the previous esr (52) stops
being supported.
As a result, I don't expect there to be any significant use of this
preference anymore, nor do I see any good reason not to remove it. The
bug for the removal is
https://bugzilla.mozilla.org/show_bug.cgi?id=1427726 .
Please let me know if you have reason to believe remote jar: still has
significant usage to the point that we cannot remove support in Firefox 60.
Gijs
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
