On 07/20/2010 10:08 PM, Tim Starling wrote:
Firefogg support has been moved out to an extension,
and that
extension was not complete last time I checked. There was chunked
upload support in the API, but it was Firefogg-specific, no
client-neutral protocol has been proposed. The Firefogg chunking
protocol itself is poorly thought-out and buggy, it's not the sort of
thing you'd want to use by choice, with a non-Firefogg client.
We did request feedback for the protocol. We wanted to keep it simple.
We are open to constructive dialog for improvement.
When I reviewed Firefogg, I found an extremely serious
CSRF
vulnerability in it. They say they have fixed it now, but I'd still be
more comfortable promoting better-studied client-side extensions, if
we have to promote a client-side extension at all.
Yes there was a CSRF for a recently added new feature, It was fixed and
had an update deployed within hours of it being reported, that was like
over a year ago now? Firefogg has been reviewed it has thousands of
users. We are happy to do more reviewing. At one point we did some
review with some Mozilla add-on folks, and we are happy to do that
process again. That is of course if a CSRF from a year ago does not
permanently make the extension a lost cause?
peace,
--michael