Open Bug 859603 Opened 11 years ago Updated 2 years ago

Add "load from URL" button in about:memory

Categories

(Toolkit :: about:memory, defect, P3)

Product:
Toolkit
Component:
about:memory
Type:
defect

Tracking

()

People

(Reporter: n.nethercote, Unassigned)

References

Details

(Whiteboard: [MemShrink:P2]) 

Once bug 848560 lands, gzipped JSON will become the standard form for attaching memory reports to bugs.  As a result, the "read from clipboard" function won't be much use, and we should replace it with "load from URL".

Since it's just JSON I don't think there will be any security concerns, but perhaps we should run this past a security person just to be sure.
Flags: sec-review?
Flags: sec-review? → sec-review?(dveditz)
Whiteboard: [MemShrink] → [MemShrink:P2]
Note to self: an XHR is the way to do this.
"Read from clipboard" was removed in bug 1127645. "Load from URL" would still be very useful.
Summary: Replace "read from clipboard" with "load from URL" in about:memory → Add "load from URL" button in about:memory
Priority: -- → P3
Blocks: 1286131
(In reply to Nicholas Nethercote [:njn] from comment #0)
> Since it's just [gzipped] JSON I don't think there will be any security concerns, but
> perhaps we should run this past a security person just to be sure.

Off the top of my head, historically there have been security exploits in gzip implementations and JSON parsers. I'll assume you're using the standard in-tree implementations and not rolling your own, in which case it's at least not additional risk and the standard implementations have had tons of testing.

This feature isn't just a JSON pretty-printer (or is it?): there's additional potential for security bugs in whatever you're doing with the content.
> Off the top of my head, historically there have been security exploits in
> gzip implementations and JSON parsers. I'll assume you're using the standard
> in-tree implementations and not rolling your own, in which case it's at
> least not additional risk and the standard implementations have had tons of
> testing.

Correct, the feature would use the in-tree ones: nsGzipConverter and JSON.parse. In fact, those things are already in use because we've supported the ability to load these files from local disk for a long time. This bug is just about letting you load from a specified URL as well, the motivation being that we often save memory report files from bug reports and then load them locally, and this feature would just streamline that use case.

> This feature isn't just a JSON pretty-printer (or is it?): there's
> additional potential for security bugs in whatever you're doing with the
> content.

It *is* just a JSON pretty-printer.
Flags: sec-review?(dveditz)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.