On 07/20/2010 10:08 PM, Tim Starling wrote:
Firefogg support has been moved out to an extension, and that extension was not complete last time I checked. There was chunked upload support in the API, but it was Firefogg-specific, no client-neutral protocol has been proposed. The Firefogg chunking protocol itself is poorly thought-out and buggy, it's not the sort of thing you'd want to use by choice, with a non-Firefogg client.
We did request feedback for the protocol. We wanted to keep it simple. We are open to constructive dialog for improvement.
When I reviewed Firefogg, I found an extremely serious CSRF vulnerability in it. They say they have fixed it now, but I'd still be more comfortable promoting better-studied client-side extensions, if we have to promote a client-side extension at all.
Yes there was a CSRF for a recently added new feature, It was fixed and had an update deployed within hours of it being reported, that was like over a year ago now? Firefogg has been reviewed it has thousands of users. We are happy to do more reviewing. At one point we did some review with some Mozilla add-on folks, and we are happy to do that process again. That is of course if a CSRF from a year ago does not permanently make the extension a lost cause?
peace, --michael