I thought I enumerated the harm at first, but I'll elaborate a little. 1) Flash doesn't know about and breaks our "current and subdirectory only" file: origin policy.
2) Flash is a high-risk attack surface: if you can get somebody to download a SWF they can probably own your system. We don't have anyone testing or defending this effectively. So we believe that there is significant harm in the current situation, and very little upside. --BDS On Thu, Feb 9, 2017 at 7:09 PM, Xidorn Quan <m...@upsuper.org> wrote: > On Fri, Feb 10, 2017, at 04:29 AM, Benjamin Smedberg wrote: > > Will this also prevent loading downloaded .swf files into Firefox? This > > is > > > useful for running Flash games, which tend to work best in the browser > > > (some media players also support loading Flash files, but their hotkeys > > > tend to conflict). > > > > It will prevent them from loading via File > Open, yes (and that is the > > fundamental change we need to make). If you were to serve them via > > localhost you could still use them (e.g. with python -m > > SimpleHTTPServer). > > I kind of disagree with this. SimpleHTTPServer is simple for developers > but not at all for normal users. I think it should be allowed to load a > top level Flash file. What harm could it do if we allow that? > > - Xidorn > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
