It looks like most of the Security discussion is happening in this bug now: https://bugzilla.mozilla.org/show_bug.cgi?id=907707
--Jet On Mon, Sep 21, 2015 at 9:18 PM, Eric Rescorla <e...@rtfm.com> wrote: > On Mon, Sep 21, 2015 at 8:48 PM, Eric Shepherd <esheph...@mozilla.com> > wrote: > > > Eric Rescorla wrote: > > > > I think there are some fairly obvious issues here, including: > > > > - There are obvious sensitive files you shouldn't upload under > > basically any conditions. > > - It's hard for the client to know what the implications of any directory > > upload are > > because they may not know what's in a given directory. > > > > I'm not a big fan of "the user is stupid and we have to protect him" as > an > > argument. :) > > > > Conveniently, that's not what I said. There's lots of stuff that's in > people's directories > that they're not readily aware of, including dotfiles, missaves, etc. > > > > > There are a lot of genuinely valid use cases for this feature; yes, > > security concerns should definitely be considered, but it's important to > be > > clear that if you want to address security concerns, or kill off the > > feature entirely. > > > > What's needed here is a real security assessment. That might lead to some > sort of security mediations, and might also lead to the conclusion that it > needs > to be killed. But the first thing to do is an assessment. So far I haven't > seen > one. > > -Ekr > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
