Add "load from URL" button in about:memory

NEW
Unassigned

Status

()

Toolkit
about:memory
P3
normal
4 years ago
10 months ago

People

(Reporter: njn, Unassigned)

Tracking

unspecified
Points:
---
Dependency tree / graph
Bug Flags:
sec-review ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [MemShrink:P2])

(Reporter)

Description

4 years ago
Once bug 848560 lands, gzipped JSON will become the standard form for attaching memory reports to bugs.  As a result, the "read from clipboard" function won't be much use, and we should replace it with "load from URL".

Since it's just JSON I don't think there will be any security concerns, but perhaps we should run this past a security person just to be sure.

Updated

4 years ago
Flags: sec-review?
Flags: sec-review? → sec-review?(dveditz)
(Reporter)

Updated

4 years ago
Whiteboard: [MemShrink] → [MemShrink:P2]
(Reporter)

Comment 1

3 years ago
Note to self: an XHR is the way to do this.
(Reporter)

Comment 2

2 years ago
"Read from clipboard" was removed in bug 1127645. "Load from URL" would still be very useful.
Summary: Replace "read from clipboard" with "load from URL" in about:memory → Add "load from URL" button in about:memory
(Reporter)

Updated

11 months ago
Priority: -- → P3
(Reporter)

Updated

11 months ago
Blocks: 1286131
(In reply to Nicholas Nethercote [:njn] from comment #0)
> Since it's just [gzipped] JSON I don't think there will be any security concerns, but
> perhaps we should run this past a security person just to be sure.

Off the top of my head, historically there have been security exploits in gzip implementations and JSON parsers. I'll assume you're using the standard in-tree implementations and not rolling your own, in which case it's at least not additional risk and the standard implementations have had tons of testing.

This feature isn't just a JSON pretty-printer (or is it?): there's additional potential for security bugs in whatever you're doing with the content.
(Reporter)

Comment 4

10 months ago
> Off the top of my head, historically there have been security exploits in
> gzip implementations and JSON parsers. I'll assume you're using the standard
> in-tree implementations and not rolling your own, in which case it's at
> least not additional risk and the standard implementations have had tons of
> testing.

Correct, the feature would use the in-tree ones: nsGzipConverter and JSON.parse. In fact, those things are already in use because we've supported the ability to load these files from local disk for a long time. This bug is just about letting you load from a specified URL as well, the motivation being that we often save memory report files from bug reports and then load them locally, and this feature would just streamline that use case.

> This feature isn't just a JSON pretty-printer (or is it?): there's
> additional potential for security bugs in whatever you're doing with the
> content.

It *is* just a JSON pretty-printer.
You need to log in before you can comment on or make changes to this bug.