
How a web app can download and store over 2GB without you even knowing it - Nemmie
http://jclaes.blogspot.com/2012/03/how-web-application-can-download-and.html
======
sigil
The fact that there's a limit is not surprising. That the limit is 2GB is a
little surprising, but this is across all sites, so ok. That there's no cache
ejection when you reach the limit just seems like a bug. Why not use LRU?

~~~
moonboots
I would not want one rogue site evicting the caches of all other sites.

~~~
sigil
It's just a cache. It can be repopulated. But I see your point, a lower per-
domain quota would make more sense.

------
AlexV
It would be fun to execute this against a mobile device, where storage is
expensive. 2GB might be all that is required to choke the device. A neat
client-side DDoS :)

~~~
objclxt
iOS (and Android I think, but I primarily dev iOS so that's where my knowledge
is) won't let a website exceed a 5MB local storage limit without explicit user
consent...so I suppose still technically possible, but not without getting the
user to agree to it first.

~~~
njs12345
I wonder if you could still perform a DOS by doing the following:

    
    
      - register 1000 domains
      - when the browser navigates to the first domain, store 5Mb
      - once the store has finished, redirect to the next domain
      - repeat steps 2-3 ad infinitum
    

Anybody know if this would work?

~~~
evanm
I mean, theoretically. But would a user actually willingly wait out this
process?

~~~
Joeri
They would if you do it in an iframe while letting them play a flash game.
They might even attribute slowdowns to the flash game.

------
notatoad
>As a user, I had no idea that the website I'm browsing is downloading a
suspicious amount of data in the background.

not when you're browsing localhost, because it's implicitly trusted. chrome
doesn't prompt you to allow access to the location services API when you're
local either, but it does prompt for permission on the web. does the browser
still not warn you if you try this same test using a remote server?

~~~
Nemmie
Hmm, that would be odd. Geolocation asks for permission even if it's
localhost. Also when I download Angry Birds, no permission is asked.

------
fl3x
This is not an issue in either Opera or Firefox. The title should probably
reflect that it's limited to Chrome (and possibly other Webkit browsers +
IE?).

~~~
halefx
Why is not an issue in Opera and Firefox? Do they have smaller maximum caches?
Or do they notify you of the background transfers?

~~~
throwaway64
the default local storage limit for Firefox is 5 megs per domain.

~~~
fl3x
Sorry for nitpicking, but I think local storage is a part of Web Storage
(<http://dev.w3.org/html5/webstorage/>), and not Application Cache
([http://www.whatwg.org/specs/web-apps/current-
work/multipage/...](http://www.whatwg.org/specs/web-apps/current-
work/multipage/offline.html) or <http://dev.w3.org/html5/spec/offline.html>).

I think that the Application Cache quota is not strictly connected to the
local storage and session storage limits.

~~~
ef4
That's correct. Chromium has talked about unifying all these kinds of storage
under one quota system, but it's not done yet.

