HTML5 Hard Disk Filler (and some more maxims)

Dumb example of a nasty trick: the “change one little thing and you have a security problem” problem. It turns out that except for Firefox, all the major web browsers fail to limit how much data a mal-intending website can store on your computer. They do limit the storage space for example.com, but they forget that 1.example.com and 2.example.com ought to contribute to the same limits.

Some security maxims, to add to “trust / understand,” “backups for your backups,” and “only the risks you know” —

– Take responsibility and solve your own problems, avoid looking to an organization or other Wizard of Oz allegory to do that for you.

– In defense as in poker, always try to act last. Commitment phobia is your friend.

http://feross.org/fill-disk/

“Creating stuff is hard. Breaking stuff is easy. Thus, I take frequent breaks from creating stuff in order to break stuff.

Behold my latest hackery: FillDisk.com. Fill up your hard disk with just a single click![…]

The HTML5 Web Storage standard was developed to allow sites to store larger amounts of data (like 5-10 MB) than was previously allowed by cookies (like 4KB). localStorage is awesome because it’s supported in all modern browsers (Chrome, Firefox 3.5+, Safari 4+, IE 8+, etc.).

The standard anticipated that sites might abuse this feature and advised that browsers limit the total amount of storage space that each origin could use. […]

Should each subdomain get 5MB of space? The standard says no. Quoting the spec, again:

User agents should guard against sites storing data under the origins other affiliated sites, e.g. storing up to the limit in a1.example.com, a2.example.com, a3.example.com, etc, circumventing the main example.com storage limit.

A mostly arbitrary limit of five megabytes per origin is recommended.

However, Chrome, Safari, and IE currently do not implement any such “affiliated site” storage limit. Thus, cleverly coded websites, like FillDisk.com, have effectively unlimited storage space on visitor’s computers.”

Advertisements
%d bloggers like this: