Last Comment Bug 859603 - Add "load from URL" button in about:memory
: Add "load from URL" button in about:memory
Status: NEW
[MemShrink:P2]
:
Product: Toolkit
Classification: Components
Component: about:memory (show other bugs)
: unspecified
: All All
: P3 normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: Nicholas Nethercote [:njn]
Mentors:
Depends on: 848560
Blocks: 1286131
  Show dependency treegraph
 
Reported: 2013-04-08 18:38 PDT by Nicholas Nethercote [:njn]
Modified: 2016-07-21 17:30 PDT (History)
8 users (show)
jruderman: sec‑review? (dveditz)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Nicholas Nethercote [:njn] 2013-04-08 18:38:26 PDT
Once bug 848560 lands, gzipped JSON will become the standard form for attaching memory reports to bugs.  As a result, the "read from clipboard" function won't be much use, and we should replace it with "load from URL".

Since it's just JSON I don't think there will be any security concerns, but perhaps we should run this past a security person just to be sure.
Comment 1 Nicholas Nethercote [:njn] 2014-09-03 23:31:38 PDT
Note to self: an XHR is the way to do this.
Comment 2 Nicholas Nethercote [:njn] 2015-02-03 13:37:43 PST
"Read from clipboard" was removed in bug 1127645. "Load from URL" would still be very useful.
Comment 3 Daniel Veditz [:dveditz] 2016-07-21 12:46:28 PDT
(In reply to Nicholas Nethercote [:njn] from comment #0)
> Since it's just [gzipped] JSON I don't think there will be any security concerns, but
> perhaps we should run this past a security person just to be sure.

Off the top of my head, historically there have been security exploits in gzip implementations and JSON parsers. I'll assume you're using the standard in-tree implementations and not rolling your own, in which case it's at least not additional risk and the standard implementations have had tons of testing.

This feature isn't just a JSON pretty-printer (or is it?): there's additional potential for security bugs in whatever you're doing with the content.
Comment 4 Nicholas Nethercote [:njn] 2016-07-21 17:30:23 PDT
> Off the top of my head, historically there have been security exploits in
> gzip implementations and JSON parsers. I'll assume you're using the standard
> in-tree implementations and not rolling your own, in which case it's at
> least not additional risk and the standard implementations have had tons of
> testing.

Correct, the feature would use the in-tree ones: nsGzipConverter and JSON.parse. In fact, those things are already in use because we've supported the ability to load these files from local disk for a long time. This bug is just about letting you load from a specified URL as well, the motivation being that we often save memory report files from bug reports and then load them locally, and this feature would just streamline that use case.

> This feature isn't just a JSON pretty-printer (or is it?): there's
> additional potential for security bugs in whatever you're doing with the
> content.

It *is* just a JSON pretty-printer.

Note You need to log in before you can comment on or make changes to this bug.