Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove FTP support #1009

Closed
domenic opened this issue Mar 19, 2020 · 4 comments · Fixed by #1166
Closed

Remove FTP support #1009

domenic opened this issue Mar 19, 2020 · 4 comments · Fixed by #1166
Labels
removal/deprecation Removing or deprecating a feature

Comments

@domenic
Copy link
Member

domenic commented Mar 19, 2020

It seems Chrome and Firefox are both removing FTP support.

Potentially impacted parts of the spec:

  • Scheme fetch
  • Network scheme: maybe this can be removed in favor of "HTTP(S) scheme"? Or rename "HTTP(S) scheme" to "network scheme"? Unsure what this impacts.
  • Bad port blocking (connected to network scheme)
  • Main fetch step 2.8 appears to be attempting to network-error some FTP requests. If we instead network-error all FTP requests then this step can probably be deleted.
@domenic domenic mentioned this issue Mar 19, 2020
Open
@bakkot
Copy link
Contributor

bakkot commented Mar 19, 2020

Network scheme: maybe this can be removed in favor of "HTTP(S) scheme"? Or rename "HTTP(S) scheme" to "network scheme"? Unsure what this impacts.

"Network scheme" is used at least in CSP, so that e.g. script-src * allows loading scripts hosted on http://example.com, https://example.com, and ftp://example.com, but does not allow <script src="data:text/javascript,alert(1)"></script>.

@domenic
Copy link
Member Author

domenic commented Mar 19, 2020

Makes sense. But after removing FTP from browsers, it seems CSP could just replace that with HTTP(S) scheme. (Or we could replace all uses of HTTP(S) scheme with network scheme.)

@bakkot
Copy link
Contributor

bakkot commented Mar 19, 2020

Yup, that's my reading too. That change would be observable, because it will mean that <script src="ftp://example.com"> on a page with script-src * will start triggering a user-observable CSP violation event, but that seems fine.

@annevk annevk added the removal/deprecation Removing or deprecating a feature label Mar 20, 2020
@annevk
Copy link
Member

annevk commented Mar 20, 2020

I'd be inclined to remove "network scheme" and only have "HTTP(S) scheme" as any new kind of protocol would require a lot of changes anyway (and has a much higher bar to clear than FTP). If anything still requires safelisting "ftp" for compatibility reasons they could do so explicitly to indicate the legacy need.

annevk added a commit that referenced this issue Feb 10, 2021
@annevk
Remove FTP support
b546df2 
Any fetching of ftp: URLs will now result in a network error.

This also removes network scheme in favor of using HTTP(S) scheme exclusively.

Closes #1009.
@annevk annevk mentioned this issue Feb 10, 2021
Merged
3 tasks
annevk added a commit that referenced this issue Feb 10, 2021
@annevk
Remove FTP support
d8ebe2f 
Any fetching of ftp: URLs will now result in a network error.

This also removes network scheme in favor of using HTTP(S) scheme exclusively.

Closes #1009.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
removal/deprecation Removing or deprecating a feature
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove FTP support whatwg/fetch
3 participants
@domenic @annevk @bakkot