

HTML5 localStorage allows sites to fill up users' hard disks - feross
http://feross.org/fill-disk/

======
pilif
So. The question I'm asking myself now is how to fix this. Giving
<wildcard>.domain.com a shared quota will allow one tumblr or github pages
user to monopolize all storage, effectively removing local storage for this
kind of scenario (also removing it for the host which is even more annoying).

A maybe workable solution would be to only allow creation of new keys for the
first-party origin. What I mean is that whatever.example.com has full access
if that's what the user is currently viewing directly in their browser.

<wildcard>.example.com embedded via iframes could either get read-only access,
or read-write access for existing keys. Also maybe limited to, lets say, 4K.

This sounds like a really complicated solution though. Any better ideas?

~~~
briansmith
Any kind of DOM storage (cookies, localStorage, IndexedDB, etc.) is ephemeral.
The browser needs to decide the maximum amount of disk space that it wants to
consume, and then when it hits that limit, it needs to start throwing away
(garbage collecting) some of the data based on some policy like LRU.

If the web app really needs permanent storage then that permanence of storage
needs to be granted explicitly by the user.

~~~
Tichy
I think localStorage already asks the user.

~~~
daleharvey
it doesnt, indexeddb and filesystem api do though

------
m_st
Reminds me how filing bugs with Microsoft is such a pain!

There's no category for Windows 8 on MS Connect, so when we found a bug in
Windows 8 RTM I found the name of an MS employee working on the feature in
question on the MSDN forums, then through Google found his LinkedIn profile
where he luckily published his eMail address.

Microsoft should be ashamed.

It seems like the best way to file a bug these days is to create a blog post
and publish it to HN, Reddit or so...

~~~
UnoriginalGuy
I'm actually aware of a very significant user impacting bug in Windows 8
(hint: It can cause every process in your startup/autorun list to not start
consistently). But have no way to report it to them...

Has impacted my system multiple times since upgrading to Windows 8.
Fortunately I know a work-around (eject the optical disc in the optical drive)
but still -- annoying that I cannot even report it.

~~~
m_st
Good luck getting anything done for it.

The bug we found is affecting a lot of Swiss customers (I admit Switzerland
isn't so big) and it took a month until I got a useful reply.

Now we have a bug number and were told that the issue should be fixed "early
this year" and changes would be checked in in March. Whatever that means...

At least their employees were kind enough to reply to my eMail. But this
company should really improve their error reporting.

------
benaiah
(Mildly OT) Well, that's interesting. The link has been changed since it was
posted - it originally pointed directly at the demo which began to fill your
disk. Is this a mod thing, or can the original submitter do it?

Either way, it was a good call. Automatically playing music _and_ filling my
hard drive with no warning is a terrible idea.

~~~
feross
I'm the author. Looks like the mods changed the link and spoiled my fun ;)

------
DigitalSea
Please sir, may I have some more? This is awesome. I got to 935mb of space
used before Google Chrome on Windows 7 64bit crashed dramatically. However,
good news, when I restored the tabs it resumed right where it left off filling
up my hard drive.

~~~
rplnt
I got to over 2GB and then Chrome crashed (not dramatically, just a tab). Fun
fact is that I was not running the "exploit" in Chrome. I was testing it in
Opera and I suspect that it was cheating and allocating more and more memory
for all the local storage instead of dumping it out to hard drive. So system
run out of memory and something had to go.. I still find it funny that it was
Chrome :)

~~~
DigitalSea
Haha yeah, that is a bit strange. When Chrome crashed for me it was every
process, not just the one tab which I rarely see happen these days. Lets hope
the Chrome team implement a fix for this ASAP, not holding my breath on an IE
fix for at least a year or so given their prior history for patching things.

------
pcwalton
This kind of thing is a good reason why a monoculture would be bad for the
Web. It's entirely possible that, if WebKit had a monopoly, Web sites would
rely on subdomains' space not being counted toward the parent domain's space,
and it'd be impossible to fix this bug without breaking the Web. But because
we don't have a monoculture and some browsers implemented subdomain limits,
Web sites haven't been able to rely on WebKit's behavior. So WebKit will be
able to fix the bug without breaking the Web—which is better for WebKit, and
better for the Web.

------
yefim323
I was really annoyed by the fact that the "disk filling" started as soon as I
clicked the link. However, the point really hit home. Is there a solution for
this browser-side?

EDIT: The link has been changed to the blog post describing the phenomenon.
Good riddance!

~~~
feross
You can use Firefox. Firefox actually implements a reasonable storage limit
policy for this. 10MB for an entire domain (all subdomains included)

~~~
lerouxb
How does Firefox determine if something is a domain or a subdomain? Obviously
the term subdomain is relative, so domain.com is already a subdomain of .com.
But what about countries like the UK or South Africa where domains are
commonly subdomains of .co.uk and .co.za?

Is there some generic way to know when a domain should be treated as a
subdomain or do they basically hardcode the exceptions?

Example: does domain1.co.uk and domain2.co.uk share the same limit in Firefox?
Probably not, but how does it know to treat them as separate?

~~~
lerouxb
I see there's a list online: <http://publicsuffix.org/>

------
eksith
Well this is frightening. You don't even need to create subdomains since
basically anyone with wildcard subdomains enabled can do this without a sweat.
All you need is a random number generator and rewrite x.domain.com to
domain.com and the browser is none the wiser.

Though I can't quite imagine why anyone would _want_ to do this to some random
stranger. Unless you knew the visitor or had some means of personally
identifying him/her, there are more devastating ways of filling up a remote HD
with just an IP and hostname (nmap and friends come to mind).

~~~
jacobr
Pretty bad for a company if someone injects a HD-filling script to their site.

~~~
eksith
So then this would really be handy in a mud-slinging campaign. Maybe against a
competitor. Any visitors would be treated to a massive drain on storage and
other delights, but then the victim would still need to have multiple
subdomains and/or wildcard subomains enabled.

------
curiousdannii
The Chromium developers really dislike localStorage
(<http://code.google.com/p/chromium/issues/detail?id=58985#c7>)

They'll have to fix this bug, but I won't be surprised if they try to remove
localStorage entirely soon.

~~~
romaniv
It sound like they hate synchronous APIs. Well, the synchronous nature of it
wouldn't be a problem if:

1\. JS has a language-level support for asyncrony. 2\. The implementation of
retrieval was performant enough or allowed for some way to control granularity
of reads from the code.

I really dislike that the idea that the only simple API for local storage will
be gutted because of reasons quite tangential for what it does.

~~~
khuey
So synchronous APIs wouldn't be a problem if they were 1. Asynchronous or 2.
Guaranteed to be really really fast? You do realize that the problem is that
you can't guarantee that spinning rust will be fast, right?

~~~
kevingadd
I think he said that asynchronous APIs are a problem because they're hard to
use well from JS, and that the performance of localStorage is a problem in
part because the granularity of reads and writes is poorly specified.

Both of these things are true.

------
tantalor
Some analysis of how this works,

1\. The main page contains an iframe which serves this script:

[https://github.com/feross/filldisk.js/blob/master/static/fra...](https://github.com/feross/filldisk.js/blob/master/static/frame.html)

2\. This script writes a 2,500,000-length string to local storage, which
should occupy at least 2.5Mb (probably much more). This matches the maximum
storage per sub-domain.

3\. This script then reloads the iframe on a different subdomain but the same
script. GOTO 2.

~~~
feross
Yep, I included lots of comments in the source code so that people could check
it out and learn how it works: <https://github.com/feross/filldisk.js>

~~~
tantalor
Thanks! Nothing better than well documented code. I found it very easy to
follow.

------
martin_
So apparently this is where you file IE bugs <http://connect.microsoft.com/IE>
\- i'm not sure if it's expected or ironic that it's broken. Great find btw!

~~~
hobs
<http://connect.microsoft.com/directory/non-feedback> It's actually on the
list of items not currently "receiving feedback" whatever that means.

~~~
yuhong
That is because MS just released IE10 for Win7.

------
hoodoof
Wouldn't this have earned the guy a $60,000 Chrome bug bounty if he had
reported it through the right channels?

~~~
recuter
It isn't a bug.

~~~
hoodoof
Leads to Chrome crashing after filling up a users hard disk. That's a big bug.

------
AdamTReineke
FYI, if you're on IE10, hitting the Stop button seems to throw a local storage
exception and doesn't clear the space.

~~~
AdamTReineke
And if anybody knows how to reclaim that space, let me know... Clearing cache
and cookies for the domain didn't work.

~~~
frankacter
Clearing the Storage Areas

Session state is released as soon as the last window to reference that data is
closed. However, users can clear storage areas at any time by selecting Delete
Browsing History from the Tools menu in Internet Explorer, selecting the
Cookies check box, and clicking OK. This clears session and local storage
areas for all domains that are not in the Favorites folder and resets the
storage quotas in the registry. Clear the Preserve Favorite Site Data check
box to delete all storage areas, regardless of source.

[http://msdn.microsoft.com/en-
us/library/cc197062%28v=vs.85%2...](http://msdn.microsoft.com/en-
us/library/cc197062%28v=vs.85%29.aspx#_clear)

------
chrismorgan
HTML5 localStorage does _not_ allow sites to fill up users' hard disks
(without their permission).

 _Bad, non-conforming implementations_ do.

------
okamiueru
Here is how it looked in Opera: <http://i.imgur.com/SOoadOB.png>

~~~
espadrine
Too bad that outstanding solution will be vaporized from the face of this
earth and replaced by Chrome's implementation!

~~~
eCa
Why is it assumed that Opera will be exactly the same as Chrome?

Is it not possible for Opera to keep their own implementation of LocalStorage
(and other things)?

Am I wrong in assuming RenderEnginge != Browser?

~~~
bzbarsky
Opera has stated publicly that they will be using all of Chromium (which would
include LocalStorage, V8, etc), not just WebKit per se.

~~~
eCa
Thanks! Must have missed that...

------
bzbarsky
This is why Firefox has a quota on localStorage, per eTLD+1. Of course people
keep complaining about this quota...

------
yaix
Just ask the user if its okay, like with geo data, translate web site, etc.

"Allow example.com to track your location?" [Yes] [No]

"Allow a1.example.com to store x MB of data locally?" [Yes] [No]

Also

> The HTML5 Web Storage standard was developed to allow sites to store larger
> amounts of data (like 5-10 MB) than was previously allowed by cookies (like
> 4KB).

Main difference is that cookies are uploaded to the server with each request,
while localStorage is not.

~~~
afhof
That is a good way to never ever ever use a feature again. "Frightening
Message: This website wants to do something scary. Do you want to allow some
bad thing to happen to your computer?" That is how lay people, i.e. the people
needed to mass adoption, read browser requests for Geo, storage, and other
permissions.

It would be better to have sane and safe defaults in the browser, rather than
pester the user. Would cookies have worked if the browser asked for permission
on every website?

~~~
okamiueru
It could be done as in Opera, where there is a initial limit, and a request to
exceed it when maxed.

<http://i.imgur.com/SOoadOB.png>

~~~
tripzilch
Heh, that may possibly be one of the final features for other browsers to copy
from Opera, before they join the herd and switch to webkit :)

I'm actually not sure how much that'll change Opera, and affect their way of
innovating new features to include.

------
Untit1ed
Finally a good non-ideological reason to use Firefox :)

~~~
smnrchrds
Actually it is kind of ideological: Firefox is following standards

~~~
exterm
you can use this as a reason for using opera, too.

------
catshirt
i liked that when i originally clicked the link it filled my harddrive and
played music. satire, people.

------
farseer
The solution is simple but ugly:

A root domain www.example.com can utilize upto 10MB of storage while sub-
domains count towards that storage limit. Any domain trying to access more
will automatically result in a user prompt. An exemption can be made for
domains/subdomains that present a valid SSL certificate, the whole idea is to
prevent abuse.

~~~
harshreality
How would that work if the malicious page used IP addresses instead of
hostnames? Then it's only a matter of how many IP addresses the author can
use.

~~~
pixl97
Being that IPv4 addresses are something that's having a bit of a shortage
these days, it's not at the top of the list of things to worry about.

That said, if you're one of the few that has IPv6 access, this could turn in
to an issue pretty quick.

------
TheAnimus
This could be quite a problem for users of SSDs who lack TRIM support.

IIRC Apple were selling mac book airs with no trim support if the user didn't
pay to upgrade OSX.

If a malicious user felt so inclined they could with just a few domains create
a bit of a write load that would quickly fragment and hurt the performance of
the SSD.

------
mablae
How is that done?

Isn't there a limita Limit of 5Mb(?) per Domain definend in the HTML5 Spec for
LocalStorage?

~~~
kevincrane
<http://feross.org/fill-disk/>

He explains here that most browsers (except Firefox) don't follow the standard
close enough, and ignore the exception for subdomains, i.e. 1.filldisk.com,
2.filldisk.com, etc.

~~~
wisty
Wait, haven't I heard this song before?

It's the one about cookies, and _.co.uk (i.e. every commercial site in the UK)
sites all sharing the same cookies, because they all look like subdomains. Or
was it all_.friendly-hosting-company.com sites?

The fundamental problem is, there's no easy way to distinguish domains and
subdomains.

~~~
desas
It doesn't happen for .co.uk, it does happen for .nhs.uk (by design).

<http://publicsuffix.org/> has the list that you use to distinguish

------
tquai
Ahhh.... I wrote a response wondering out loud why this doesn't work on my
browser, then checked the source, and it's javascript. No wonder, I browse
without it!

"Yeeaahhpp, with enough javascript one can blow up just about anything."
~Tyler Durden

~~~
kevincennis
How do you know if someone browses with JavaScript disabled? Don't worry,
they'll tell you.

------
sfaruque
I'm working on writing a guide on how to use localStorage to publish on
www.localstorage.org.

Should I include a part about the possible abuses?

------
__herson__
Firefox 16 in Linux Mint isn't affected

<http://i.imgur.com/xD17VZK.jpg>

------
frozenport
Opera is safe! It prompts for most disk space.

------
redmattred
This is also possible using the FileWriter API (currently only supported by
Chrome: <http://caniuse.com/filesystem>).

Oddly enough, Google Chrome prompts you to grant file system access, but
doesn't explicitly tell you how much space is being asked for.

------
nightpool
IE10 public bug site, btw:
[http://connect.microsoft.com/IE/SelfNomination.aspx?ProgramI...](http://connect.microsoft.com/IE/SelfNomination.aspx?ProgramID=4792&pageType=1)

------
akandiah
Would this work on an Android device with Froyo/Gingerbread? Because, some of
those devices will never be updated. Hence, this can be used to practically
disable a device.

------
jiggy2011
Got to ~800MB and then chrome crashes.

~~~
benatkin
I made it to 1.6GB. Leaving it there until I need the space. :)

------
muglug
Mitigation: there's an option in chrome://flags that converts all these images
to dog pictures.

------
chris_wot
Is there a bug logged with Mozilla?

~~~
jfoster
Firefox isn't vulnerable to this.

------
hbe_
*checking if cuckoobox.com is available

------
mcnemesis
Is there a means to inspect (and or modify) what apps are putting into my
local storage? something similar to cookie inspection?

~~~
benaiah
In Chrome, you can go to Settings->Advanced Settings->Content
Settings->Cookies->All Cookies and Site Data, and it will list sites using
your localStorage.

~~~
mcnemesis
Thanks, gave me a chance to peek at which sites/apps have been running
experiments on my box (web db stuf,...).

The thing I still find disturbing is that unlike cookies, it seems not
easy/direct to view the contents of a localstorage (other than its meta-data).

~~~
pilif
It's cumbersome, but visit the site in question and use the web inspector. The
resources tab lists the various keys and values for that site.

------
viseztrance
The message is OK, but personally I have an issue with websites playing sound
without my consent.

~~~
benatkin
OK, why does YouTube get a free pass on this? Nobody has ever given me a good
reason.

~~~
Arkeus
By visiting a YouTube video, I am giving YouTube my consent to play me a
video, including any sound it might contain. I completely expect YouTube
videos to play sound and am prepared for it, unlike websites such as this.

~~~
benatkin
All it takes is a redirect.

~~~
tjoff
What's your point? That people can be annoying?

~~~
benatkin
No, that this is a double standard people have. They gripe about any non-
YouTube site playing audio, but say nothing when they click a bit.ly link that
redirects to a YouTube video page.

~~~
lmm
People absolutely do complain when they click a bit.ly link that redirects to
a YouTube video page.

