On Friday, 10 February 2017 08:32:27 UTC-6, Benjamin Smedberg wrote: > I thought I enumerated the harm at first, but I'll elaborate a little. > > 1) Flash doesn't know about and breaks our "current and subdirectory only" > file: origin policy. > > 2) Flash is a high-risk attack surface: if you can get somebody to download > a SWF they can probably own your system. We don't have anyone testing or > defending this effectively. > > So we believe that there is significant harm in the current situation, and > very little upside.
I think #1 is sufficient to remove this behavior, even ignoring #2. A malicious flash applet open opened from file:// can read the user's profile, take all their saved passwords, cookies, etc and steal data, masquerade as them, and perform all manner of malicious activity. -tom _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
