[londons_explore]

The code is old, and hard to secure. It lives in the browser rather than a subprocess, so is unsandboxed.

The FTP protocol itself isn't a nice binary protocol - it was designed for humans to type by hand, so has a lot of flexibility, leading to a lot of corner cases in the code.

There is also the fact that the flexibility of FTP allows the browser to attack other devices on the local network. For example, I could navigate an iframe to FTP://evil_payload@127.0.0.1:3389, allowing me to send a possible exploit to your your machine, bypassing firewalls.

Considering how few people use it, and the risks it still poses to everyone, I can see why they want to get rid of it.

[coribuci]

There is also the fact that the "modern browser" is no longer a browser but a program which runs remote code with local privileges and sometimes with elevated privileges. The main reason they want to deprecate ftp is the same reason they used for other protocols: it is much easier to control 1 protocol (https) instead of 10 (http, ftp, rss, ntp etc.). Especially when they decide which certificate is trusted in their browser (which browser (engine) happens to be the only one used by the majority).

[_8j50]

So you're saying ftp support could have simply been disabled by default where people who need it can simply turn it on? Also, the attack you're describing is a "cross protocol" attack for which modern browsers (at least firefox) have mitigations in place.