On Tuesday, February 7, 2017 at 10:16:27 PM UTC+1, Benjamin Smedberg wrote: > I intend to ship a change which will prevent Flash from loading from file:, > ftp:, or any other URL scheme other than http: or https:. The purpose of > this change is to increase security and limit Flash to well-tested > configuraitons. > > > - file: same-origin security mechanism is different, and so there have > been problems in the past with Flash content bypassing normal controls. > - Flash is normally not tested with ftp: or other protocols, and we've > had security issues in the past as a result of interactions between Flash > and these sites. > > I am not yet sure whether we will be able to prevent Flash from loading in > data: contexts or not. I'd like to, but it may not be possible without > breaking existing content. > This work is being tracked in > https://bugzilla.mozilla.org/show_bug.cgi?id=1335475 > > --BDS
Will this also prevent loading downloaded .swf files into Firefox? This is useful for running Flash games, which tend to work best in the browser (some media players also support loading Flash files, but their hotkeys tend to conflict). Obviously if we get to the point where we stop supporting Flash altogether this use case will break anyway, so mostly asking for clarification. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
