I intend to ship a change which will prevent Flash from loading from file:, ftp:, or any other URL scheme other than http: or https:. The purpose of this change is to increase security and limit Flash to well-tested configuraitons.
- file: same-origin security mechanism is different, and so there have been problems in the past with Flash content bypassing normal controls. - Flash is normally not tested with ftp: or other protocols, and we've had security issues in the past as a result of interactions between Flash and these sites. I am not yet sure whether we will be able to prevent Flash from loading in data: contexts or not. I'd like to, but it may not be possible without breaking existing content. This work is being tracked in https://bugzilla.mozilla.org/show_bug.cgi?id=1335475 --BDS _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform