On 2017-02-13 11:50 AM, 段垚 wrote: > > > 在 2017/2/14 0:24, Ehsan Akhgari 写道: >> On 2017-02-10 7:51 PM, 段垚 wrote: >>> >>> 在 2017/2/11 2:26, t...@ritter.vg 写道: >>>> On Friday, 10 February 2017 08:32:27 UTC-6, Benjamin Smedberg wrote: >>>>> I thought I enumerated the harm at first, but I'll elaborate a little. >>>>> >>>>> 1) Flash doesn't know about and breaks our "current and subdirectory >>>>> only" >>>>> file: origin policy. >>>>> >>>>> 2) Flash is a high-risk attack surface: if you can get somebody to >>>>> download >>>>> a SWF they can probably own your system. We don't have anyone >>>>> testing or >>>>> defending this effectively. >>>>> >>>>> So we believe that there is significant harm in the current >>>>> situation, and >>>>> very little upside. >>>> I think #1 is sufficient to remove this behavior, even ignoring #2. A >>>> malicious flash applet open opened from file:// can read the user's >>>> profile, take all their saved passwords, cookies, etc and steal data, >>>> masquerade as them, and perform all manner of malicious activity. >>> I agree that this is a problem, but I disagree that Firefox must remove >>> this behavior now. >>> >>> * This behavior has existed for decades in all desktop browsers, and the >>> usage of Flash is declining, which means the threaten is also declining. >> That is not true. It is public knowledge that Flash exploits are traded >> as a commodity these days: >> <https://www.wired.com/2015/07/hacking-team-leak-shows-secretive-zero-day-exploit-sales-work/>. >> > > I guess all popular softwares have exploits being traded. How this fact > invalidates my argument?
I was responding to your point about the threat declining because of the declining usage of Flash. This is demonstrably not true. > Also I think forbidding non-http(s) Flash does not fix thoses exploits > magically. Sure, this is about reducing attack surface, not completely eliminating it. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
