HTML5 Storage Bug Can Fill Your Hard Drive

← Back to Stories (view on slashdot.org)

HTML5 Storage Bug Can Fill Your Hard Drive

Posted by Soulskill on Thursday February 28, 2013 @04:01AM from the disk-write-error dept.

Dystopian Rebel writes "A Stanford comp-sci student has found a serious bug in Chromium, Safari, Opera, and MSIE. Feross Aboukhadijeh has demonstrated that these browsers allow unbounded local storage. 'The HTML5 Web Storage standard was developed to allow sites to store larger amounts of data (like 5-10 MB) than was previously allowed by cookies (like 4KB). ... The current limits are: 2.5 MB per origin in Google Chrome, 5 MB per origin in Mozilla Firefox and Opera, 10 MB per origin in Internet Explorer. However, what if we get clever and make lots of subdomains like 1.filldisk.com, 2.filldisk.com, 3.filldisk.com, and so on? Should each subdomain get 5MB of space? The standard says no. ... However, Chrome, Safari, and IE currently do not implement any such "affiliated site" storage limit.' Aboukhadijeh has logged the bug with Chromium and Apple, but couldn't do so for MSIE because 'the page is broken" (see http://connect.microsoft.com/IE). Oops. Firefox's implementation of HTML5 local storage is not vulnerable to this exploit."

199 comments

Min score:

Reason:

Sort:

So What's The Point by Anonymous Coward · 2013-02-28 04:06 · Score: 2, Insightful

This seems like mental masturbation to me. I see no point in initiating such an "attack".
If I understand correctly, you are going to expend great effort and possibly money on tens of thousands of subdomains, transfer a lot of data and incur bandwidth charges, in order to fill someone's hard drive? This is about the lamest DoS attack I have ever heard of. And the easy fix is to simply clear cookies?
Come on, this is a non-issue looking to be a problem.
1. Re:So What's The Point by MicrosoftRepresentit · 2013-02-28 04:13 · Score: 1, Interesting
  
  Using javorscript to generate the data quicker than most hard disks could write it, with no bandwidth usage other than fetching the script itself, so thats not a problem. But yeah, just a single gigabyte would require 200 subdomains so I'm not really seeing the danger here.
2. Re:So What's The Point by gandhi_2 · 2013-02-28 04:19 · Score: 1
  
  Imagine the network usage bill for your VPS trying to fill every hard drive of every device that visits your site.
  
  --
  THL phish sticks
3. Re:So What's The Point by Qzukk · 2013-02-28 04:19 · Score: 5, Insightful
  
  Subdomains are free. With a wildcard DNS record, you have nearly an infinite supply of them.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
4. Re:So What's The Point by Anonymous Coward · 2013-02-28 04:23 · Score: 0
  
  Sumdomains do not cost any money, any domain can have an unlimited amount of them, and DNS servers can be configured to accept wildcard hostnames, so anyone could have infinite subdomains to attack with without any more effort than routing randomstring.domain.com to the same server with an Apache mod_rewrite rule to generate random content for that subdomain.
5. Re:So What's The Point by The+Mighty+Buzzard · 2013-02-28 04:24 · Score: 5, Informative
  
  Really? You've never admin'd a dns server then. It's trivial to have one respond to wildcard subdomain names that you could generate dynamically on page load with one line of javascript.
  
  --
  Violence is like duct tape. If it doesn't solve the problem, you didn't use enough.
6. Re:So What's The Point by utkonos · 2013-02-28 04:36 · Score: 1
  
  Not sure what effort you are referring to. I can create large numbers of subdomains using a simple script to modify the zone file. Subdomains cost nothing. No effort, and no money.
  Bandwidth is nearly nothing because I don't have to transfer any data to create data on the victim's drive if I use javascript.
  Lastly, you're not thinking about threats holistically. This just becomes one single tool added to a group of other tools that can be employed in an advanced persistent threat attack.
7. Re:So What's The Point by bill_mcgonigle · 2013-02-28 04:37 · Score: 3, Interesting
  
  If you have a popular blog, there's no need to pay for network backup anymore - just drop enough 5MB blocks encrypted and with decent FEC to each of your readers. If you ever have a failure, just throw up a basic page with a funny cat picture and start restoring from your distributed backup.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
8. Re:So What's The Point by arth1 · 2013-02-28 04:38 · Score: 5, Informative
  
  It doesn't take much work or time to set up a wildcard CNAME entry pointing to a single web server that answers a wildcard. You now have billions of subdomains with a couple of minutes of work.
  The web instance serves a short javascript which generates a boatload of data on the client side, and then calls a random subdomain to reload the js with a new domain name.
  All this can be linked to a single ad (or blog comment, for vulnerable boards that allow css exploits).
9. Re:So What's The Point by thetoadwarrior · 2013-02-28 04:41 · Score: 4, Interesting
  
  It's a web app, let the client generate it. You generate the free sub domains with a script or something a bit more intelligent but either way the cost should be minimal. I assume as well you wouldn't necessarily need to fill it completely. A gig or two might ruin the browser's performance.
10. Re:So What's The Point by arth1 · 2013-02-28 04:49 · Score: 0
  
  Subdomains are free. With a wildcard DNS record, you have nearly an infinite supply of them.
  Pet peeve: "Nearly infinite" makes no sense, unless you mean infinite of a lower order (like infinity minus seven, which is still infinite).
  The number of possible wildcard DNS records exceeds anything you might possibly need, use, or want, but it's still a finite number, and not anywhere near infinite. It's much closer to zero than it is to even a billionth of a billionth of infinite.
  With a wildcard DNS record, you have as many subdomains as you need.
11. Re:So What's The Point by Jiro · 2013-02-28 04:59 · Score: 5, Insightful
  
  That's not true.
  "Nearly infinite" means "it's not infinite, but it's large enough that it has most of the same practical effects as it would if it were infinite".
  You seem to be interpreting the word "nearly" to mean "has a numerical value close to" rather than "has effects similar to". Obviously it is nonsensical for something to be nearly infinite using that first definition, but that should be a warning sign that you're not using the definition that people mean, not that everyone else is speaking nonsense.
12. Re:So What's The Point by TheRaven64 · 2013-02-28 05:58 · Score: 4, Informative
  
  You misunderstand how the attack works. The client-side code is allowed to store 5-10MB per domain, but it can generate this data (math.random() will do it fine). The per-domain thing mean that you need one HTTP request per 5-10MB, but on the server that will be a wildcard DNS entry always resolving to the same server. If you set the cache headers with a sufficiently long timeout, then you can probably have a single site hosting the .js (so the browser will only request it once) and then just send a tiny HTML page referencing it. The JavaScript then creates a new iframe with a new (random) subdomain as the target, and so you each HTTP request to your server (total of about 1KB of traffic) generates 5-10MB of data on the client's hard disk.
  
  --
  I am TheRaven on Soylent News
13. Re:So What's The Point by arth1 · 2013-02-28 06:02 · Score: 0
  
  You seem to be interpreting the word "nearly" to mean "has a numerical value close to" rather than "has effects similar to".
  
  I'd happily go for "has effects similar to", but it doesn't have any of the effects similar to infinity.
  Divide it by a large number, and it becomes noticeably smaller. Multiply it by a large number, and it becomes noticeably bigger.
  Subtract it from itself and it becomes zero instead of undefined.
  What I see is a use of "infinitely" as a synonym for "extremely large". It isn't, precisely because of the effects you mentioned.
14. Re:So What's The Point by BaronAaron · 2013-02-28 06:12 · Score: 1
  
  The DNS specifications state the max length of a domain name is 253. Assuming you could get the smallest possible root domain name of 4 characters (x.cc for example) that means you would have 249 characters left.
  To complicate things a little more the specifications state each label (subdomain) can't exceed 63 characters. That means 3 full subdomains of 63 characters + 1 subdomain of 56 characters if you include the periods. Grand total of 245 characters to play with.
  The specifications state that the only valid characters are ASCII A-Z, a-z, 0-9, and hyphen meaning 63 potential values for each character.
  63^245 = 6.894e440 possible combinations.
  More then the number of atoms in the observable universe by a few factors.
15. Re:So What's The Point by Anonymous Coward · 2013-02-28 06:23 · Score: 1, Informative
  
  If you don't like "nearly infinite", it might be better to avoid saying things like "a billionth of a billionth of infinite", and even "infinity minus seven", without giving some sort of definition of what you're talking about. If you mean cardinals, then the values you appear to be talking about are trivially the same as the infinite cardinal you started with. If you mean ordinals, it doesn't look like there's any well-defined thing that corresponds to the phrases you're using.
  Your best bet might be to read up on hyperreals, because in that system expressions like r - 7 and r * 10^-18 do actually make some non-trivial sense where r is infinite, and your intuition is correct that there's no sensible definition of a "nearly infinite" hyperreal. But until you have some understanding of the transfer principle, or at least are familiar with the basic properties of the hyperreals, you'd be well advised to avoid such expressions, especially if you're math-naziing against everyday expressions like "nearly infinite" whose intended meaning is entirely clear. Take a look at this (or at this if you're more mathematically trained).
  Not trolling -- you're obviously interested in mathematics -- just pointing your enthusiasm in a useful direction :-)
16. Re:So What's The Point by geekboybt · 2013-02-28 06:25 · Score: 2
  
  What if the data I stored was a string of "0" characters and the transfer was gz'd? That would shrink it quite drastically.
17. Re:So What's The Point by Idbar · 2013-02-28 06:27 · Score: 1
  
  I have a redirect to my webpage. And I can spoof this using PHP, I've done it before so I can point people to a1.mypage.com or a2.mypage.com, they both hit the same index.php on the same system, yet show completely different things, how simpler you think would be to show the same thing instead?
18. Re:So What's The Point by Anonymous Coward · 2013-02-28 06:33 · Score: 0
  
  You're being pedantic. How would the described situation differ from an otherwise identical situation where there were infinite possible sub domains. The observed effect depends on the presence of a sufficiently large number of subdomains, but would not change in the presence of infinite subdomains (unless you have a lot more hard drive space than is currently possible).
19. Re:So What's The Point by Anonymous Coward · 2013-02-28 06:47 · Score: 0
  
  Great effort? DNS has wildcards...one DNS creates an infinite number of subdomains. And the data doesn't need to be transfered from the server...only the JavaScript code necessary to generate the data. A sub-1KB file can fill the entire quota.
  So doing the math, to fill a 1TB hard drive using Chrome, you'd need to use the quota of 419,431 subdomains requiring you to transfer less than 100MB of data to the target.
  It's still not a huge issue (browsers give you ways of managing and cleaning up local storage), but it's not a non-issue.
20. Re:So What's The Point by Anonymous Coward · 2013-02-28 06:47 · Score: 0
  
  It's much closer to zero than it is to even a billionth of a billionth of infinite.
  Pet peeve: "a billionth of a billionth of infinite" makes no sense, unless you mean infinite of a lower order (like infinity minus seven, which is still infinite).
  
  If you're going to be a pedantic douche, make sure you stick to your own logic.
21. Re:So What's The Point by Anonymous Coward · 2013-02-28 06:50 · Score: 0
  
  infinity minus 7 is not a valid mathematical expression you uneducated fuckwit.
  
  Infinity is a set that can be either countable or uncountable.
22. Re:So What's The Point by sjames · 2013-02-28 07:03 · Score: 1
  
  Of course not. You will hack someone else's server and burn up their bandwidth.
23. Re:So What's The Point by sjames · 2013-02-28 07:04 · Score: 1
  
  ServerAlias *.badguys.com
24. Re:So What's The Point by Anonymous Coward · 2013-02-28 07:20 · Score: 0
  
  In this case the practical effects are exactly the same. Shut up and go learn about context.
25. Re:So What's The Point by BlackPignouf · 2013-02-28 07:26 · Score: 1
  
  Well, the number of particles in the observable universe is finite.
  So everything that is included in this universe is also finite, and everything I know and can imagine in our universe is pretty much finite.
26. Re:So What's The Point by Anonymous Coward · 2013-02-28 07:31 · Score: 0
  
  You don't even know what infinite means, so please give it a rest. There are many infinities, any child could have told you that. Go and learn something, start with sets.
27. Re:So What's The Point by Anonymous Coward · 2013-02-28 07:46 · Score: 0
  
  Pet peeve: "Nearly infinite" makes no sense
  Pet peeve: "makes no sense". If something actually made no sense, you be unable to parse, lex, or extract any information from it, and hence, unable to classify it as making no sense. I assume you really meant to say "makes little sense".
  --The "nearly infinite" pedant.
28. Re:So What's The Point by Anonymous Coward · 2013-02-28 07:47 · Score: 0
  
  Pull your head out of your math!
29. Re:So What's The Point by Anonymous Coward · 2013-02-28 07:50 · Score: 1
  
  A gig or two might ruin the browser's performance.
  A gig or two is baseline ram usage for a browser.
30. Re:So What's The Point by Culture20 · 2013-02-28 07:52 · Score: 2
  
  Reminds me of the gif of death, a blank PB sized image LZW compressed. It would crash browsers back in the day. Today it would probably wreak havok with thumbnail file managers.
31. Re:So What's The Point by geekboybt · 2013-02-28 07:57 · Score: 2
  
  Don't forget zip bombs, like 42.zip. Over 4 PB compressed down to 42k.
32. Re:So What's The Point by Anonymous Coward · 2013-02-28 08:02 · Score: 0
  
  I'd happily go for "has effects similar to", but it doesn't have any of the effects similar to infinity.
  If a web server starts sending you infinite number of documents, your hard disk will eventually fill up.
  If a web server starts sending you 2^128 documents, your hard disk will eventually fill up.
33. Re:So What's The Point by Anonymous Coward · 2013-02-28 08:05 · Score: 0
  
  an infinite supply of wildcard domains could use this exploit to fill your hard drive.
  a finite but very large supply of wildcard domains could use this exploit to fill your hard drive.
  SIMILAR EFFECTS.
34. Re:So What's The Point by viperidaenz · 2013-02-28 08:20 · Score: 2
  
  So 1k per 10MB. That's a 10,000x multiplier.
  Say I have 1TB free space. Before I run out of disk, it'll take 100MB of data, I'd be waiting for my browser to write out 1TB of data and there will be 100,000 HTTP requests made. 100,000 IFrame's... Browser probably crashed after a few hundred.
  I think I'd close my browser because it stopped responding before I get anywhere near running out of space. At 100MB/s (average spinny disk sequential write speed. I doubt Javascript could keep up generating data with that though) it'd take nearly 3 days to write out 1TB.
35. Re:So What's The Point by ArcadeMan · 2013-02-28 08:26 · Score: 1, Funny
  
  And those ads will be from Western Digital, Toshiba and Seagate.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
36. Re:So What's The Point by canadiannomad · 2013-02-28 08:30 · Score: 1
  
  So THIS is how Mega is getting all their disk space....
  Imagine:
  Everyone who uses the site is a node that is getting filled up by other people's encrypted garbage.... Free space, redundant, encrypted, distributed, and can charge for it... Perfect.
  
  --
  Hmm, the humour and sarcasm seem to have been be lost on you.
37. Re:So What's The Point by Anonymous Coward · 2013-02-28 09:14 · Score: 0
  
  But, you forgot that you can have many more than three labels - for example, you don't account for a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.x.cc.
  
  As well, you can have shorter names, so that adds more valid permutations - for example, a.x.c is not accounted for in your calculation.
  
  I've not bothered to do the full analysis, but I think you might have missed by an entire small planetary body's worth of atoms. Some aliens somewhere may be very angry at you for ignoring them - beware.
38. Re:So What's The Point by Anonymous Coward · 2013-02-28 10:07 · Score: 0
  
  Your math is wrong and your numbers are just crazy... I'm just gonna go in order.
  1k per 10MB is a 10,240 multiplier. But this is the least of my complaints, it just happens to come first
  Lets say you have 1TB of free space. Sure, why not. I mean, you do, right? I'm skeptical the average computer user has over 100GB of free space on the partition that would get this data. Probably more like 40GB. But again, not your biggest mistake.
  1TB would take nearly 3 HOURS, not days, to write at 100MBs. I take no issue with the 100MBs estimate.
  Javascript will have no problem keeping up with the write speed of even the fastest hard drive. What exactly do you think it is doing? It can just randomly make a string that is 5k, and write the same 5k over and over again until the space is full.
39. Re:So What's The Point by ShanghaiBill · 2013-02-28 10:16 · Score: 1
  
  Imagine the network usage bill for your VPS ...
  Imagine the profits for the HDD companies as people run out of space and order bigger and bigger disks. The HDD companies have the most obvious motive to exploit this bug.
40. Re:So What's The Point by Bacon+Bits · 2013-02-28 10:19 · Score: 1
  
  Obviously it is nonsensical for something to be nearly infinite using that first definition, but that should be a warning sign that you're not using the definition that people mean, not that everyone else is speaking nonsense.
  But that would mean I'd have to agree that context carries as much information as the lexical meaning! How can I be an asshole on the Internet if I can't equivocate!
  
  --
  The road to tyranny has always been paved with claims of necessity.
41. Re:So What's The Point by thegarbz · 2013-02-28 10:26 · Score: 1
  
  It doesn't take much work or time to set up a wildcard CNAME entry pointing to a single web server that answers a wildcard.
  Call me crazy but I seem to think that this is part of the default configuration for out of the box BIND. You set up all your domains and then drop the wildcard in at the bottom to catch everything else?
42. Re:So What's The Point by Anonymous Coward · 2013-02-28 10:42 · Score: 0
  
  And the impact to the victim? Not really a big problem. Also when filling up a HDD fast the browser would probably end up less responsive, get noticed and possibly get closed.
  In contrast if the browser sets a hard 5MB limit on *.domain.com if the subdomains of *.domain.com are actually independent it could cause real problems if many subdomains legitimately require a MB each.
  One solution would be to make it easy to do housekeeping and clear the storage when necessary.
43. Re:So What's The Point by Anonymous Coward · 2013-02-28 10:53 · Score: 0
  
  *Psst* Your aspergers is showing.
44. Re:So What's The Point by Culture20 · 2013-02-28 11:01 · Score: 1
  
  Another annoying part is that it will be millions of small files, so it will take a while to finish. And even if the files aren't filling the drive, they may fill the inode tables.
45. Re:So What's The Point by Anonymous Coward · 2013-02-28 11:25 · Score: 0
  
  3 *hours*, not days. And javascript - even in the browser - is easily capable of writing at 100MB/s on a typical system.
46. Re:So What's The Point by Anonymous Coward · 2013-02-28 11:26 · Score: 2, Funny
  
  And the impact to the victim? Not really a big problem.
  Assume this happens to a typical Microsoft Surface user.
  How long will it take, and what is the consequence? What will they need to do to recover?
47. Re:So What's The Point by KiloByte · 2013-02-28 11:58 · Score: 2
  
  1.955e393, actually.
  You made three mistakes:
  * placing dots differently can give quite a lot of combinations
  * you can have subdomains shorter than the max, this effectively adds dots to the character set, with two restrictions: no two dots in a row/start/end, no string of >63 non-dots. The former reduces the base by a small but noticeable bit, the latter has only infinitessimal (colloquial sense) effect.
  * DNS names are case-insensitive
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
48. Re:So What's The Point by PylonHead · 2013-02-28 12:07 · Score: 1
  
  If you look at what he's saying, you'll see that the javascript only gets downloaded once for all the domains. For each domain you need an html page that just has a script link to the fixed js file (that your browser already has cached). So, think maybe 100 bytes per 5-10MB.
  
  --
  # (/.);;
  - : float -> float -> float =
49. Re:So What's The Point by slimjim8094 · 2013-02-28 12:41 · Score: 1
  
  That's being foolish. A wildcard DNS entry will easily match more than hundreds of billions of domains. This is large enough that it's more than anybody could conceivably have a use for. The number of subdomains is in fact bounded, but actually even figuring out the limit is a mathematical exercise - not a practical concern.
  Consider - you have more than 200 quadrillion plastic ballpit balls. This is large enough that you can't count them in more than a million years, even if you counted very, very quickly. Thus, you can't even do one of the most basic things you'd want to do with a non-finite number - count it.
  Thus, nearly infinite in the practical sense that the GP meant, and everybody else took it to mean.
  
  --
  I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
50. Re:So What's The Point by Anonymous Coward · 2013-02-28 12:46 · Score: 0
  
  Obviously it is nonsensical for something to be nearly infinite using that first definition, but that should be a warning sign that you're not using the definition that people mean, not that everyone else is speaking nonsense.
  Hmm... On the one hand, people correctly using a common word that I just don't understand. On the other hand, people having no clue about math or numbers or how to communicate clearly. Hmm, tough choice. Yeah, you're right, it's probably the first one. <eyeroll>
51. Re:So What's The Point by smash · 2013-02-28 13:42 · Score: 1
  
  Pet peeve: people who can't understand that "nearly infinite" was intended to mean "essentially infinite" and feel the need to be a nazi about it because they have nothing of actual worth to contribute to discussion.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
52. Re:So What's The Point by smash · 2013-02-28 13:48 · Score: 1
  
  The inode tables thing is a good point. Even if the space is constrained via quota, unless the number of files is limited, you could perhaps create a mass of 0 byte files to perform an inode DOS without needing to bother about subdomain BS.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
53. Re:So What's The Point by viperidaenz · 2013-02-28 14:49 · Score: 1
  
  Add all the HTTP headers to your 100 bytes as well, along with the HTTP request too. The browser will be sending the referrer url, the user agent string, cache control headers, etc.
  1k seems reasonable.
54. Re:So What's The Point by Anonymous Coward · 2013-02-28 15:56 · Score: 0
  
  WK6+@
  E>X4HFTS
  F21QDTCG
  936UU+K9
  LJ2HKDYD
  ONWPAKJ@
  D7-$VXT%
  W6-PCPRZ
  XS1Z#3O>
  UJNHWRQ1
  ZTAF3YBA
  XMM
  C2B6FJ42
  L67V4%H2
55. Re:So What's The Point by davidshenba · 2013-03-01 01:50 · Score: 1
  
  Is the size cap on the file size on disk or on actual file size?
56. Re:So What's The Point by Anonymous Coward · 2013-03-01 04:46 · Score: 0
  
  1 KiB per 10 MiB is a 10,240 multiplier.
  FTFY.
57. Re:So What's The Point by arth1 · 2013-03-01 06:35 · Score: 1
  
  Pet peeve: people who can't understand that "nearly infinite" was intended to mean "essentially infinite" and feel the need to be a nazi about it because they have nothing of actual worth to contribute to discussion.
  Look a bit higher up - I believe I was the one who brought the whole wildcard CNAME used with a wildcard listening web server (serving a js) into the discussion.
  And, as said, it's a pet peeve. It's not "OMG YOU ARE WRONG DIE DIE DIE". Why are you so worked up about it that you even have to invoke Godwin?
58. Re:So What's The Point by PylonHead · 2013-03-01 06:59 · Score: 1
  
  Fair enough. But then you turn on gzip compression and it drops to 1/7th of that...
  
  --
  # (/.);;
  - : float -> float -> float =
59. Re:So What's The Point by PylonHead · 2013-03-01 07:05 · Score: 1
  
  Actually I don't think headers on either side get compressed.. so I'm probably totally wrong on this.
  
  --
  # (/.);;
  - : float -> float -> float =
60. Re:So What's The Point by viperidaenz · 2013-03-01 07:10 · Score: 1
  
  yep, totally wrong
Disable Javascript by Anonymous Coward · 2013-02-28 04:08 · Score: 3, Insightful

Also, you're not vulnerable if you have javascript enabled.
Such is life when your browser automatically downloads and runs arbitrary untrusted software.
1. Re:Disable Javascript by DarkRat · 2013-02-28 04:16 · Score: 2
  
  so if I disable JS, I shouldn't go to that site?
2. Re:Disable Javascript by Hentes · 2013-02-28 22:22 · Score: 1
  
  Or disable permanent storage on untrusted sites.
I wonder how fast I can fill my harddisk... by Quazion · 2013-02-28 04:08 · Score: 1, Funny

This sounds like a nice weekend project, wonder how fast you can fill up a harddisk with just some javascript.
1. Re:I wonder how fast I can fill my harddisk... by Sockatume · 2013-02-28 04:17 · Score: 2
  
  Assuming 500GB free space and a 20Mbps ADSL connection, call it 2MB/s down... I make it almost three days.
  I think you would notice.
  
  --
  No kidding!!! What do you say at this point?
2. Re:I wonder how fast I can fill my harddisk... by Anonymous Coward · 2013-02-28 04:21 · Score: 0
  
  Isn't HTML5 storage controlled by JS? Wouldn't it be faster to just set up a loop that locally writes garbage out to storage, rather than download everything from remote?
3. Re:I wonder how fast I can fill my harddisk... by claar · 2013-02-28 04:22 · Score: 4, Insightful
  
  You're assuming that you have to download the files. It's highly likely the data could be generated locally in JavaScript.
  
  --
  I'd give my right arm to be ambidextrous...
4. Re:I wonder how fast I can fill my harddisk... by Sockatume · 2013-02-28 04:25 · Score: 1
  
  Of course it is, ha.
  
  --
  No kidding!!! What do you say at this point?
5. Re:I wonder how fast I can fill my harddisk... by Anonymous Coward · 2013-02-28 04:26 · Score: 0
  
  No, you would generate the data on the client side.
  See the example page: http://www.filldisk.com/ (plays music)
6. Re:I wonder how fast I can fill my harddisk... by Anonymous Coward · 2013-02-28 04:53 · Score: 0
  
  Depends on how fast your hard drive is. You could probably fill 500GB in about an hour and a half.
7. Re:I wonder how fast I can fill my harddisk... by TheRaven64 · 2013-02-28 06:09 · Score: 1
  
  His example filled 1GB every 16 seconds, so 500GB in about two hours. That was an SSD though - you're basically limited by your hard drive's write speed (for extra fun, you'll likely fill up the disk cache and start swapping...). You may get 100MB/s from linear writes to a spinning disk, if you're lucky, 20-30MB/s is more plausible. The data isn't fetched from the server, it's generated by the JavaScript.
  
  --
  I am TheRaven on Soylent News
8. Re:I wonder how fast I can fill my harddisk... by vilanye · 2013-02-28 06:58 · Score: 1
  
  Technical ignorance is a virtue these days, I guess. Sockatume, this is the most stupid thing I have read all week. I award you the Hairyfeet weekly award for extremely dumbassity. Congrats
Support response by Anonymous Coward · 2013-02-28 04:09 · Score: 2, Funny

but couldn't do so for MSIE because 'the page is broken" (see http://connect.microsoft.com/IE). Oops
FUD! We haven't recieved a complaint yet.
Yours truely,
MS support.
1. Re:Support response by Anonymous Coward · 2013-02-28 04:11 · Score: 0
  
  The link isn't even broken. It worked fine on 2 phones and my desktop. Yes, it very much is FUD.
2. Re:Support response by cgimusic · 2013-02-28 06:49 · Score: 1
  
  Really? I just tried it and I get a basic page layout but no content.
3. Re:Support response by Samantha+Wright · 2013-02-28 07:18 · Score: 1
  
  That's what I see too. Pretty sure that's working as designed.
  
  --
  Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
Bug, or exploit? by Sockatume · 2013-02-28 04:12 · Score: 0, Troll

I think the summary author gives the game away in the last sentence on this one. It's not a bug, which implies unintended behavior that can accidentally happen. It's intended behavior that can be deliberately exploited to bad effect.

--
No kidding!!! What do you say at this point?
1. Re:Bug, or exploit? by DarkRat · 2013-02-28 04:18 · Score: 5, Informative
  
  no. it's a bug. the HTML5 spec clearly states that this exact behaviour should be looked out for and blocked
2. Re:Bug, or exploit? by Anonymous Coward · 2013-02-28 04:20 · Score: 0
  
  It's not intended behavior being exploited. Did you even read the summary?
  >However, what if we get clever and make lots of subdomains like 1.filldisk.com, 2.filldisk.com, 3.filldisk.com, and so on? Should each subdomain get 5MB of space? The standard says no.
  It's a faulty implementation of the standard, which should be considered a bug, by any means.
3. Re:Bug, or exploit? by Anonymous Coward · 2013-02-28 04:21 · Score: 0
  
  So its a FEATURE that they do NOT follow the STANDARD ... ok.
4. Re:Bug, or exploit? by Anonymous Coward · 2013-02-28 04:25 · Score: 0
  
  Glad you are not involved in any aspect of the design and development workflow, go back to your WoW gaming wearing your "know it all" cap.
5. Re:Bug, or exploit? by Anonymous Coward · 2013-02-28 04:28 · Score: 1
  
  It's called "Not Following The SPECIFICATION".
6. Re:Bug, or exploit? by Sockatume · 2013-02-28 04:28 · Score: 1
  
  I have a doctorate and spend more time bathing in a given week than on videogames.
  
  --
  No kidding!!! What do you say at this point?
7. Re:Bug, or exploit? by Anonymous Coward · 2013-02-28 04:31 · Score: 0
  
  I have a Post-Doctorate in Distributed Computational Penile Tensionology along with many papers written, queer reviewd and published in top shelf publications.
8. Re:Bug, or exploit? by Sockatume · 2013-02-28 04:34 · Score: 1
  
  Are we done here? My coffee break ends soon.
  
  --
  No kidding!!! What do you say at this point?
9. Re:Bug, or exploit? by Anonymous Coward · 2013-02-28 04:37 · Score: 0
  
  Not at all, I am very happy to be help you waste your time on your coffee break :)
10. Re:Bug, or exploit? by al.caughey · 2013-02-28 04:38 · Score: 1
  
  published with a brown paper wrapper too?
11. Re:Bug, or exploit? by K.+S.+Kyosuke · 2013-02-28 04:44 · Score: 3, Insightful
  
  Except that the specification is perfectly fine, it's the implementation that does something different. Or do you claim that the HTML5 spec is wrong when it says that browsers should not allow for this DoS attack to happen? Stop being a dick and admit your mistake.
  
  --
  Ezekiel 23:20
12. Re:Bug, or exploit? by thePowerOfGrayskull · 2013-02-28 04:59 · Score: 1
  
  I'd call that a design error. The browser is behaving as it is designed to, it's just that the way it's designed to behave is wrong.
  Which is, in other words, a bug.
  Why do people persist in believing that bugs can only happen in code?
13. Re:Bug, or exploit? by DragonWriter · 2013-02-28 05:07 · Score: 2
  
  It's not intended behavior being exploited. Did you even read the summary?
  I read the summary. The author of the summary, however, has not read the spec, or, if they have, has failed to understand all of the following (a) that both the use of per-origin quotas is a recommendation, not a requirement, of the spec; (2) that the use of controls to prevent the use of affiliated origins to circumvent the recommended per-origin quotas are also recommendations, not requirements, of the spec, and (3) that the spec actually doesn't define what constitutes an affiliated origin, so that even if per-origin quotas and affiliated-origin identification-and-blocking were required by the spec, it would be impossible to judge whether any particular implementation complied with the requirement.
  If they understood any of those points, they wouldn't describe this as a "bug".
14. Re:Bug, or exploit? by mjr167 · 2013-02-28 05:17 · Score: 1
  
  So it's Microsoft?
15. Re:Bug, or exploit? by DragonWriter · 2013-02-28 05:28 · Score: 1
  
  Except that the specification is perfectly fine, it's the implementation that does something different.
  Well, except that if you actually read the specification, nothing raised in TFS involves doing something different than required by the specification, and, in fact, the relevant recommended-but-not-required functionality described in the specification isn't defined at all (there is no definition of "affiliated origin", and only one example given.). Its outside of the simplest naive generalization of the example given, but that interpretation (e.g., treating all subdomains of the same 2LD as "affiliated origins") would also mean everything on, e.g., ".co.uk" would share the single-origin quota belonging to "co.uk".
16. Re:Bug, or exploit? by DragonWriter · 2013-02-28 05:55 · Score: 1
  HTML5 spec clearly states that this exact behaviour should be looked out for and blocked
  There are two errors in this statement:
  The less significant error is that the relevant spec is the Web Storage specification, not the HTML5 specification;
  The more significant error is that while the spec recommends per-origin quotas (which most browsers have), and recommends taking measures to identify and prevent the use of affiliated origins to circumvent per-origin limits, it does not, in fact, define what constitutes "affiliated origins" for the purpose of that recommendation, it just provides one example of a set of origins (and the origins in that example are incompletely specified).
17. Re:Bug, or exploit? by mcgrew · 2013-02-28 06:02 · Score: 1
  
  A bug is unwanted, undesigned for response. As this was designed in the equipment, it's a design flaw, not a bug.
  BTW, the world's first bug was a moth caught in a computers wiring, hence its name. The first bug was indeed a hardware error, a short circuit caused by the moth.
  
  --
  Free Martian Whores!
18. Re:Bug, or exploit? by Anonymous Coward · 2013-02-28 06:03 · Score: 0
  
  That's a ridiculous claim to make. By your logic, it's a design error that CPUs provide a "reset" instruction, because any privileged task could call it, and it could even allow non-privileged tasks to somehow call it.
  Sometimes, in the interest of having something usable and implementable, you relax a few constraints and tell the implementor to watch out for known issues. It's not an error. It's a concession.
19. Re:Bug, or exploit? by Anonymous Coward · 2013-02-28 06:25 · Score: 0
  
  In what, being a dumbass?
20. Re:Bug, or exploit? by Anonymous Coward · 2013-02-28 06:40 · Score: 0
  
  > that the spec actually doesn't define what constitutes an affiliated origin
  The cookie spec has the same problem, so this was likely an intentional oversight. (That is, they could use the same hardcoded logic they use for cookies to implement the quota.)
21. Re:Bug, or exploit? by Anonymous Coward · 2013-02-28 08:11 · Score: 0
  
  It still shows a failure on the part of UA developers.
  From Web Storage recommendation:
  
  User agents should limit the total amount of space allowed for storage areas.
  From RFC2119:
  
  3. SHOULD This word, or the adjective "RECOMMENDED", mean that there
  may exist valid reasons in particular circumstances to ignore a
  particular item, but the full implications must be understood and
  carefully weighed before choosing a different course.
  So, tell me, what exactly are the valid reasons for NOT implementing this other than to allow a site to fill up your hard drive. It may be technically just recommended right now, but not implementing any kind of quota is a lack of foresight by the UA developers.
  As from the definition of "should", "the full implications must be understood and carefully weighed before choosing a different course" which is apparently not the case unless the developers thought a site filling up your hard drive was a good idea (in which case, they are morons).
22. Re:Bug, or exploit? by camperdave · 2013-02-28 08:14 · Score: 1
  
  I have a doctorate and spend more time bathing in a given week than on videogames.
  I spend more time on videogames than on bathing, and I don't have a doctorate. Hmm... I wonder if there is some sort of correlation?
  
  --
  When our name is on the back of your car, we're behind you all the way!
23. Re:Bug, or exploit? by DragonWriter · 2013-02-28 11:28 · Score: 1
  
  BTW, the world's first bug was a moth caught in a computers wiring, hence its name.
  
  No, it wasn't. The term "bug" predates that (and computers) as a term for faults in electrical systems. The well-known moth that is the source of this myth was described in the notebook to which it was taped as the "first known instance of an actual bug being found", clearly indicating that computer "bugs" had existed before that time, but that the novel thing wasn't the term, but the fact than an actual arthropod was located and identified as the source of the problem.
24. Re:Bug, or exploit? by smash · 2013-02-28 13:57 · Score: 1
  
  So, tell me, what exactly are the valid reasons for NOT implementing this other than to allow a site to fill up your hard drive.
  The lack of ability to determine whether or not bar.foo.com and baz.foo.com are affiliated with one another. They may be the same company, they may be entirely different organsiations. They should NOT therefore be forced to share the same storage quota.
  The spec as TFA author is interpreting it is broken. In actual fact, the spec leaves this open as an implementation detail and does not define the behaviour.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
25. Re:Bug, or exploit? by thePowerOfGrayskull · 2013-02-28 15:26 · Score: 1
  
  A design flaw is a bug in the design. Dubious historical etymology notwithstanding.
  A bug can exist anywhere in your stack - requirements, design, implementation, test.
26. Re:Bug, or exploit? by Anonymous Coward · 2013-02-28 23:03 · Score: 0
  
  The post you replied to refers to a global quota:
  
  From Web Storage recommendation:
  
  User agents should limit the total amount of space allowed for storage areas.
  If a site can fill the drive then there is not even a global quota. So what's the reason for not implementing a global quota?
  
  In actual fact, the spec leaves this open as an implementation detail and does not define the behaviour.
  You're right, it does leave it open, but it's RECOMMENDED. Which means you should implement it unless there is a really good reason not to and there is no good reason not to implement a global quota.
27. Re:Bug, or exploit? by mcgrew · 2013-03-01 05:59 · Score: 1
  
  Hmmm... it appears that you are correct.
  
  Word nerds trace the word bug to an old term for a monster - it's a word that has survived in obscure terms like bugaboo and bugbear and in a mangled form in the word boogeyman. Like gremlins in machinery, system bugs are malicious. Anyone who spends time trying to get all the faults out of a system knows how it feels: after a few hours of debugging, any problems that remain are hellspawn, mocking attempts to get rid of them with a devilish glee.
  And that's the real origin of the term "bug." But we think the tale of the moth in the relay is worth retelling anyway. (TechWorld)
  
  --
  Free Martian Whores!
28. Re:Bug, or exploit? by Sockatume · 2013-03-04 21:41 · Score: 1
  
  Not HTML5's specification, Firefox's.
  
  --
  No kidding!!! What do you say at this point?
29. Re:Bug, or exploit? by Sockatume · 2013-03-04 21:44 · Score: 1
  
  Just to be clear on this, if Mozilla failed to obey the HTML5 spec on offline storage, then that's a design error in Firefox, and even the most complete, perfectly bug-free version of Firefox is not going to address their original oversight. Any more than a completely bug-free version of Internet Explorer 6 is going to be standards-compliant.
  This is important stuff. All mistakes are not equal.
  
  --
  No kidding!!! What do you say at this point?
Re:Anonymous coward bug can fill your anus by Deekin_Scalesinger · 2013-02-28 04:13 · Score: 1, Offtopic

Entirely offtopic, (and I am prepared for the karma hit) but today is my birthday!

--
"As the intrepid kobold companion continues his journey, he begins to wonder... if priests raises dead, why anybody die?
Re:Anonymous coward bug can fill your anus by Anonymous Coward · 2013-02-28 04:14 · Score: 0

Have a good one Deekin
It's a feature! by sootman · 2013-02-28 04:16 · Score: 3, Interesting

1.porn.com, 2.porn.com, 3.porn.com...
Actually, that could be handy -- you could store lots of music from song.album.artist.someMP3site.com.

--
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
1. Re:It's a feature! by sootman · 2013-02-28 04:27 · Score: 3, Interesting
  
  Come to think of it, it could lead to problems. What if you read a lot of blogs hosted on wordpress.com? Or use many apps on *.google.com?
  
  --
  Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
2. Re:It's a feature! by fatphil · 2013-02-28 05:04 · Score: 2
  
  Of course, you highlight another potential DOS - in the scenario you mention, one site can reduce the quota available to another subdomain, as they share it. It's a lose-lose situation: permit DOSing the user, or permit DOSing other sites on the same 2LD.
  
  Let's hope they understand how CCTLDs are organised. I don't like the idea of every site under *.co.uk sharing the same 5MB. When they specified cookies, they fucked up, I dont trust them to have learnt from their mistakes and got HTML5 correct, far from it.
  
  --
  Also FatPhil on SoylentNews, id 863
3. Re:It's a feature! by DragonWriter · 2013-02-28 05:20 · Score: 1
  Let's hope they understand how CCTLDs are organised. I don't like the idea of every site under *.co.uk sharing the same 5MB.
  There's probably a reason that, contrary to the implication in TFS, the actual Web Storage Candidate Recommendation:
  Recommends, but does not require, a per-origin quota,
  Recommends, but does not require, user agents to take steps to identify and prevent use of "affiliated origins" to circumvent per-origin quotas,
  Does not, in the preceding recommendation, provide a concrete definition of an "affiliated origin", leaving it up to UA implementors to determine, if they are going to follow the recommendation to identify and limit the use of "affiliated origins", how best to identify that origins are affiliated.
4. Re:It's a feature! by TheRaven64 · 2013-02-28 06:14 · Score: 2
  
  There's an interesting paper by the Chrome guys from a couple of years back trying to define exactly what a web application is. A modern browser is trying to be an OS, and one of the fundamental tasks of an OS is isolating applications from each other. This is relatively difficult, as two applications may exchange files or use the same libraries, but at least they are launched as different processes. A web application is a tangle of resources from a variety of different domains running in one or more browser windows, each of which may contain things from an overlapping set of servers that are not part of the application. Any serious attempt at isolation is doomed to fail.
  One of the nice things about Java and Flash applets is that they provide a cleaner mechanism for saying 'this is part of the applet, but these other things aren't', although with the DOM APIs that these expose even that is quite flexible.
  
  --
  I am TheRaven on Soylent News
5. Re:It's a feature! by smash · 2013-02-28 14:10 · Score: 1
  
  I guess the way to do this is via certificate - and allocate x MB of storage per SSL certificate.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Another annoying Chromium Bug... by CajunArson · 2013-02-28 04:16 · Score: 1

On Linux using the pepperflash plugins, lots & lots of zombie processes get created and aren't even killed after you exit the browser. When I noticed 5GB of memory usage on an empty desktop, I realized that Chromium is a pro-zombie browser.

--
AntiFA: An abbreviation for Anti First Amendment.
1. Re:Another annoying Chromium Bug... by The+MAZZTer · 2013-02-28 04:21 · Score: 2
  
  Chrome will remain running if you have apps installed that want to run in the background. There is an option in Settings to suppress this behavior. On Windows Chrome keeps a notification icon showing so you can shut down the browser and force these background apps to quit. Other platforms probably have something similar.
  Chrome also keeps a process running for Cloud Print, if you have it enabled.
  The 5GB is probably a badly-behaving app/extension. Check Chrome's Task Manager to figure out which one.
2. Re:Another annoying Chromium Bug... by Anonymous Coward · 2013-02-28 04:24 · Score: 1
  
  On Linux using the pepperflash plugins, lots & lots of zombie processes get created and aren't even killed after you exit the browser. When I noticed 5GB of memory usage on an empty desktop, I realized that Chromium is a pro-zombie browser.
  The what plugins? Since when does anyone use PepperFlash on Chromium? Are those even included in Chromium builds, as opposed to straight-up Chrome?
  Regardless, long story short, despite its other flaws, I never see this on the plain Flash plugin.
Re:Opera is not vulnerable by Sockatume · 2013-02-28 04:18 · Score: 2

Is this a thing? People get tribal about browsers?

--
No kidding!!! What do you say at this point?
Mobile devices? by dclozier · 2013-02-28 04:19 · Score: 4, Insightful

Devices with smaller drives like a cell phone, tablet or laptops like Google's Pixel would be more vulnerable. Perhaps if you created some javascript that simply made requests to iterated subdomains that simply returned a small amount of javascript that then generated large amounts of text to store locally? The bandwidth needed would be much less then and the same amount of damage done. I have no idea if this scenario is possible though so take this with a grain of salt.
wordpress.com? by malignant_minded · 2013-02-28 04:21 · Score: 1, Insightful

isn't everyone's blog a subdomain?
1. Re:wordpress.com? by Anonymous Coward · 2013-02-28 04:28 · Score: 0
  
  > isn't everyone's blog a subdomain?
  There's no technical restriction to why you would use a subdomain for a certain kind of content (like a blog). So no.
  This is a blog: http://www.ikeahackers.net/ - No subdomain. What you consider to be a blog, seems ill-defined.http://it.slashdot.org/story/13/02/28/1534259/html5-storage-bug-can-fill-your-hard-drive#
2. Re:wordpress.com? by malignant_minded · 2013-02-28 04:34 · Score: 2
  
  Let me clarify as I thought it was clear but apparently not, isn't everyone that uses wordpress.com to host a blog using a subdomain of wordpress.com? If that is true doesn't that make this standard a little difficult to follow.
3. Re:wordpress.com? by Anonymous Coward · 2013-02-28 04:35 · Score: 0
  
  Wow, you're a fucking moron.
4. Re:wordpress.com? by Ziktar · 2013-02-28 04:43 · Score: 1
  
  Yes, but typically wordpress blogs don't need to store local content for a fancy HTML5 app.
5. Re:wordpress.com? by Anonymous Coward · 2013-02-28 04:48 · Score: 1
  
  I was thinking the same thing, but in a different site...what about dyndns or no-ip and their ilk as well? If Firefox has implemented things this way then how hasn't this come up as a problem with any of these kinds of sites? They've had to have some of their people see this issue.
6. Re:wordpress.com? by Anonymous Coward · 2013-02-28 04:59 · Score: 0
  
  what about co.uk then?
7. Re:wordpress.com? by 91degrees · 2013-02-28 05:02 · Score: 1
  
  There are quite a few largely independent third and even fourth level domains. International URLs for example often have something like com.au or .co.uk. Then there are ISPs in those countries. It's less common now but there are still a few username.demon.co.uk accounts kicking about.
8. Re:wordpress.com? by Beorytis · 2013-02-28 05:33 · Score: 1
  
  It's only difficult to follow (in that particular case) if the all wordpress blogs you read have a need for local storage that exceeds the limit.
9. Re:wordpress.com? by malignant_minded · 2013-02-28 05:43 · Score: 1
  
  Its not the user that follows the standard its the browser and it's developers that determine "yeah we can do that". As many people pointed out this would have impacts on more than my example, its just the one at the tip of my tongue. I can only guess the devs looked at that and said "that breaks too much" and tossed the 'suggestion' for this standard aside. I'm sure the devs thought about more than stupid wordpress sites. I doubt they would set this up to work on some domains and not others, it's likely we follow this or we don't so the particular use case is irrelevant.
Re:Opera is not vulnerable by Anonymous Coward · 2013-02-28 04:22 · Score: 0

Are you new to the internet? Of course they do. People have been "getting tribal" about browsers since Netscape vs. IE back in like 1995.
Re:Opera is not vulnerable by Anonymous Coward · 2013-02-28 04:23 · Score: 0

Yep, Firefag fanbois have to go out of their way to tell everyone they use it. Even in stories for other browsers.
much easier than you think by Anonymous Coward · 2013-02-28 04:41 · Score: 3, Informative

, transfer a lot of data and incur bandwidth charges,
Posting anonymously since this shows how it could be done.
I don't see any need to transfer data. Simply generate random strings programatically. One could easily write a few lines of code. The storage API is a 'key' and 'value' system, so just randomly generate keys and randomly generate values in a loop. Super easy. For the subdomain stuff, like others have said, wildcard for DNS. Then just serve the small js file that runs, then programtically generates a new random subdomain to dynamically load the js file.
The end point is that you don't need a lot of data bandwidth to screw up someone's computer.
Re:Opera is not vulnerable by Anonymous Coward · 2013-02-28 04:50 · Score: 0

Welcome to 1997!
Webkit was developed precisely because of this!
Firefox... by Anonymous Coward · 2013-02-28 04:54 · Score: 0

Firefox is only safe from the exploit because it'll max out your RAM and crash well before it has chance to fill your hard disk.
It does this normally, without even trying.
1. Re:Firefox... by Cyko_01 · 2013-02-28 06:14 · Score: 1
  
  I think it is time you upgraded from firefox 2.0
Read the spec: recommendation, not requirement by DragonWriter · 2013-02-28 04:58 · Score: 5, Informative

no. it's a bug. the HTML5 spec clearly states that this exact behaviour should be looked out for and blocked
Its not a bug. While the Web Storage API Candidate Recommendation (related to, but not part, of, the HTML5 spec) both says that user agents should set a per-origin storage limit and should identify and prevent use of "origins of affiliated sites" to circumvent that limit, it doesn't specify either what constitutes an "affiliated site", and neither of those things that it says "should" be done are requirements of the specification. "Should" has a quite specific meaning in the specification (defined by reference in the spec to RFC2119), and its not the same as "must", instead:

SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.

So, its both a recommendation rather than a requirement, and not specified clearly enough to be implemented. There are some cases where origins of the same second-level domain are meaningfully affiliated, and some times where they are not (for a clear case of the latter, consider subdomains of ".co.uk".) Its pretty clear that origins which differ only in protocol are almost always going to be affiliated by any reasonable definition (e.g., http://www.example.com/ and https://www.example.com/ which are different origins), but no automatic identification of origin affiliation by subdomain can be done simply without understanding of per-domain policies from the TLD down to the first level at which all subdomains are affiliated. (And this is a problem which will get worse with the planned explosion of TLDs.) W
1. Re:Read the spec: recommendation, not requirement by Kupfernigk · 2013-02-28 05:29 · Score: 1
  
  You must be awful fun when talking to customers. They tend not to understand the distinction between "shall" and "should".
  "there may exist valid reasons in particular circumstances to ignore a particular item" - in other words, this is a case where the feature should ALWAYS be applied to generic software because that must deal with all circumstances, not just "particular" ones.
  It really should not be hard to have a popup that says "This web page wants to create local storage on your computer allow/disallow", for instance, and then let the user decide if this is a particular circumstance.
  
  --
  From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
2. Re:Read the spec: recommendation, not requirement by DragonWriter · 2013-02-28 05:43 · Score: 5, Informative
  
  You must be awful fun when talking to customers. They tend not to understand the distinction between "shall" and "should".
  There is a reason why internet specifications (whether or not they are from IETF, and often whether or not they are even intended as standards-track) reference the RFC2119 definitions. "MUST" vs. "SHOULD" is an important distinction.
  In this particular case, whats even more important is that the recommended functionality at issue isn't defined at all, there is just one example -- and the example doesn't fully specify the origins, so its an incomplete example -- given and no definition of the parameters of the identification of "affiliated origins". So if it was a "MUST", it would be a broken standard (since it would be impossible to assess conformance), and as it is, its impossible to say whether a particular implementation even implements the recommended functionality.
  
  "there may exist valid reasons in particular circumstances to ignore a particular item" - in other words, this is a case where the feature should ALWAYS be applied to generic software because that must deal with all circumstances, not just "particular" ones
  Any particular user agent is a "particular circumstance" (it is specific software with a specific use case within the scope of all possible kinds of user agents which might implement the Web Storage API); there is no such thing as an implementation that must deal with "all circumstances".
  
  It really should not be hard to have a popup that says "This web page wants to create local storage on your computer allow/disallow"
  Its not at all hard, but that's not related to the recommendation to implement per-origin quotas, or the further recommendation to build on top of the per-origin quotas functionality to detect and limit the use of "affiliated origins" to circumvent the per origin quotas, which is what is at issue here. Per-origin allow/disallow for Web Storage use isn't even a recommendation of the specification. (Though it is explicitly permitted behavior.)
3. Re:Read the spec: recommendation, not requirement by Anonymous Coward · 2013-02-28 08:15 · Score: 1
  
  but no automatic identification of origin affiliation by subdomain can be done simply without understanding of per-domain policies from the TLD down to the first level at which all subdomains are affiliated
  Yes, this is major breakage in browser specifications. It's also a solved problem.
  It has been necessary for years because cookie security relies on it. The solution is a bloody great list of effective TLDs. It's not pretty but it works.
4. Re:Read the spec: recommendation, not requirement by thegarbz · 2013-02-28 12:31 · Score: 1
  
  You must be awful fun when talking to customers. They tend not to understand the distinction between "shall" and "should".
  So are you saying that a fun systems engineer talking to a client will therefore land the client in legal hotwater? These kind of things should not be fun for exactly that reason. As a customer I would greatly appreciate if some of the vendors dispelled with the bullshit and clearly defined what should and what shall be done. Projects have a tendency to go much better when that happens and everyone leaves happy.
5. Re:Read the spec: recommendation, not requirement by smash · 2013-02-28 13:53 · Score: 1
  
  Best post in thread.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Except that it isn't inconsistent with the spec by DragonWriter · 2013-02-28 05:01 · Score: 1

It's called "Not Following The SPECIFICATION".
I think you need to review the relevant portion of the specification, particularly the use of the word "should" and the reference to RFC2119 for the specific definition of "should" that is applicable when used in the specification.
1. Re:Except that it isn't inconsistent with the spec by Anonymous Coward · 2013-02-28 05:10 · Score: 0
  
  Not that you're wrong, but I did like the "so you're saying we 'should' switch to Firefox?" response in the bug post. That was a pretty snappy comeback to that point.
Editing by guttentag · 2013-02-28 05:02 · Score: 1

A Stanford comp-sci student has found a serious bug in Chromium, Safari, Opera, and MSIE.
OK, so we're talking about Google, Apple, Opera and Microsoft. But then...

The current limits are: 2.5 MB per origin in Google Chrome, 5 MB per origin in Mozilla Firefox and Opera, 10 MB per origin in Internet Explorer.
Now we're talking about Google, Mozilla, Opera and Microsoft. Where did Mozilla come from, and where did Apple go?

Chrome, Safari, and IE currently do not implement any such "affiliated site" storage limit.' Firefox's implementation of HTML5 local storage is not vulnerable to this exploit.
Now we're talking about Google, Apple, Microsoft and Mozilla. Apple's back, and Opera is left out this time, and even though the author seemed to be indicating that Mozilla's browser was on the vulnerable list, now it's set apart.

Editors, if a summary is inconsistent, please clean it up or don't promote the story.
1. Re:Editing by Beorytis · 2013-02-28 05:36 · Score: 1
  
  Where did Mozilla come from, and where did Apple go?
  The first part was talking about bugs; the second was talking about storage limits. Mozilla has no bug but does have a storage limit. Apple presumably has the bug, but we don't know what its storage limit is.
2. Re:Editing by ledow · 2013-02-28 05:42 · Score: 1
  
  And Opera loses mention later on entirely. Probably because the bug doesn't exist on the last few Opera stable versions at all:
  http://www.ledow.org.uk/Opera.jpg
HTML5 Browsers? by Anonymous Coward · 2013-02-28 05:11 · Score: 0

I use Internet Explorer, you insensitive clod!
No evidence spec is not being followed. by DragonWriter · 2013-02-28 05:13 · Score: 1

So its a FEATURE that they do NOT follow the STANDARD ... ok.
The specification at issue is not a standard, its a Candidate Recommendation. Ikay, that's a technicality, but more importantly:
They are following it; both the per-origin quotas themselves and the controls regarding preventing use of affiliated origins to circumvent the quotas are recommendations (should), not a requirements (must), of the spec, so even if they were not implemented at all, the implementation could be following the spec completely.
Further, the spec never defines criteria for determining affiliated origins with regard to the controls preventing circumvention of per-origin limits, so the fact that it doesn't prevent the particular use of related origins that were at issue in this test doesn't mean they don't have controls of the type recommended.
Distributed storage? by tippe · 2013-02-28 05:13 · Score: 1

I wonder if one could create some sort form of useless distributed storage using this. Basically get your web app use this 5MB of free space on each computer that visits you as a the storage media for a filesystem. It would be atrociously slow (access time for a particular block could be hours, days, weeks or longer) unreliable (non-repeat visitors or visitors that clear their cache represent data loss) and difficult to expand (to grow your storage you'd have to convince more people to visit your site), but if you were really bored and had nothing else to do, it could be an interesting project.
It sort of reminds me of hack/proof-of-concept “storage” method somebody once told me was possible using “ping”. Basically ping a host with an ICMP ping packet having the data you want to store in the "payload"; the destination host will apparently send this payload back to you in the ICMP response. Apparently, if you ignore (don't ACK) the response, the destination host will continuously try to resend the packet back to you, effectively storing your data "in the network". When you want to retrieve the data, ACK the response...
1. Re:Distributed storage? by Anonymous Coward · 2013-02-28 05:33 · Score: 0
  
  Just what I was thinking -- set up something like Dropbox, but without all the costs of servers... With enough copies on unsuspecting hosts, it might even be fast. Unethical sure, but would this be illegal?
2. Re:Distributed storage? by Adm.Wiggin · 2013-02-28 06:44 · Score: 1
  
  In case anyone else finds your comment about using ping for a filesystem as fascinating as we did, here's TFA: http://www.shysecurity.com/posts/PingFS
3. Re:Distributed storage? by tippe · 2013-02-28 07:11 · Score: 1
  
  Oh cool! And here I was half thinking the story of ping-based storage was a load of crap, especially since my attempts to find references to it with google were never successful. Thanks for the link!
Awesome for FireFox! by EmagGeek · 2013-02-28 05:15 · Score: 0

Now, not only will FireFox slowly eat up gigabytes of RAM, but it'll also silently and slowly fill your entire hard disk!
I was wondering when the leaking-storage feature would mutate from RAM to disk.
1. Re:Awesome for FireFox! by Anonymous Coward · 2013-02-28 05:33 · Score: 0
  
  Didn't even RTFS - FireFox is /not/ vulnerable to this.
  -Posted from 417MB of FireFox.
2. Re:Awesome for FireFox! by gman003 · 2013-02-28 05:37 · Score: 2
  
  Erm, you got it backwards. Firefox implements the standard properly, and is thus not vulnerable to disc-filling attacks of this sort. It's every other browser that is vulnerable.
3. Re:Awesome for FireFox! by DragonWriter · 2013-02-28 05:50 · Score: 1
  Erm, you got it backwards. Firefox implements the standard properly
  Since the actual behavior of the recommended-but-not-required functionality to identify "affiliated" origins and prevent their use to circumvent the likewise recommended-but-not-required per-origin quotas is not actually specified in the Web Storage specification (particularly, the criteria for defining affiliated origins are never specified, all that is provided is one example of a set of incompletely-specified origins as an example of affiliated origins), it is inaccurate:
  To say that a browser which does not implement any functionality in this regard does not implement the standard "properly", or
  To even say based on any particular test that a browser does or does not implement the recommended behavior.
4. Re:Awesome for FireFox! by Anonymous Coward · 2013-02-28 06:45 · Score: 0
  
  Now, not only will FireFox slowly eat up gigabytes of RAM, but it'll also silently and slowly fill your entire hard disk!
  From TFS: "Firefox's implementation of HTML5 local storage is not vulnerable to this exploit."
  I'm all for hating on Firefox, but at least get your facts straight before you do.
5. Re:Awesome for FireFox! by Anonymous Coward · 2013-02-28 06:57 · Score: 0
  
  Can you get an emag called "Hooked on Phonics?"
6. Re:Awesome for FireFox! by Derek+Pomery · 2013-02-28 11:28 · Score: 1
  
  Not only that, but on his other point, the memshrink project took off, Firefox has been using significantly less memory than other browsers.
  On my system, for 5-10 tabs, Firefox uses about half as much memory as Chrome. For a large number of tabs, Chrome explodes to gigabytes of memory while Firefox doesn't go up by much at all.
  Not to mention tab groups make organising that large number of tabs a lot easier.
  https://blog.mozilla.org/nnethercote/category/memshrink/
  
  --
  -- perl -e'print pack"H*","6e656d6f406d38792e6f7267"' /. ate my old sig. Bastards.
Re:Opera is not vulnerable by Baloroth · 2013-02-28 05:15 · Score: 2

Is this a thing? People get tribal about browsers?
Well, he could just be annoyed about the summary being blatantly wrong, since it specifically says that the bug exists in Opera when, in fact, it does not.
But yeah, people can be a bit competitive about their favorite browser. Not as bad as emacs vs. vi or anything, but it does happen a bit.

--
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
Disk quotas by Anonymous Coward · 2013-02-28 05:27 · Score: 1

This is why I have disk quotas enabled on my personal machine, even though I'm the only user. I don't want a rogue process user my UID using up those last few GB that the system will eventually need.
Opera? by ledow · 2013-02-28 05:30 · Score: 2

I call crap on the Opera thing.
Latest stable Opera browser here, 12.14, updated 5th February:
http://www.ledow.org.uk/Opera.jpg
No mention of this in the 12.14 release notes (even as a "vulnerability with details to follow later", which is common practice for Opera changelogs), and silence on the article about exactly how/why/where Opera is vulnerable.
If something pops up a million times and asks you for a Gigabyte and you click yes, then that's perfectly accepted user permission to do so.
1. Re:Opera? by oji-sama · 2013-02-28 10:55 · Score: 1
  
  I wonder how that works. I got that question after the counter was at 76MB. Well, at least it did ask, eventually. So I guess Opera is safe from this.
  
  --
  It is what it is.
2. Re:Opera? by lucideer · 2013-03-01 05:33 · Score: 1
  
  https://github.com/feross/filldisk.js/issues/7
Internet Explorer feedback page by Anonymous Coward · 2013-02-28 05:55 · Score: 0

http://connect.microsoft.com/directory/?keywords=internet+explorer
https://connect.microsoft.com/IE/4792
These pages work just fine. Seems like Feross didn't look hard enough for the proper place to file an MSIE bug.
Re:Opera is not vulnerable by Anonymous Coward · 2013-02-28 06:10 · Score: 0

Yes. Most of them have moved on to Chrome lately. You should hear the Chrome guys bash Firefox lately. Just look at the twit comments here about how this will let Firefox fill your RAM and your HDD. Even though it's completely wrong and inane. People are stupid. And not just about sports teams or religious and political affiliations.
Re:Opera is not vulnerable by CrashNBrn · 2013-02-28 06:48 · Score: 1

Considering Opera has these default settings in Opera:Config

Persistent Storage
Domain Quota Exceed Handling For localStorage: 1 (Open a dialog when the quota for local storage is exceeded)
Domain Quota For localStorage: 5120
Global Quota For localStorage: 102400
User JS Storage Quota: 0 (Quota in kilobytes available for user script storage. Set to 0 to prevent any use.)

Yeah I'd say it's not vulnerable to a harddrive filling exploit.

Opera definitely has issues with site-compatibility - usually due to browser sniffing, than actual standards that aren't implemented.
But it is far and above most of it's kin as far as security is concerned.
Re:Opera is not vulnerable by Algae_94 · 2013-02-28 06:55 · Score: 1

browsers, phones, computers, cars, TVs, etc. People get tribal about everything that is branded. When did we go from having faith that brand X made good products go to "everything other than brand X is complete crap!"
What I have seen by azav · 2013-02-28 07:02 · Score: 2

I've seen Safari taking up to 8 GB of RAM. This seems due to sloppy variable clearing and this makes the swap file larger and can easily end up taking over your HD.
Safari ends up being the biggest bloated pig with regards to RAM management on my Mac.

--
- Zav - Imagine a Beowulf cluster of insensitive clods...
1. Re:What I have seen by Bacon+Bits · 2013-02-28 10:23 · Score: 1
  
  Is it also the application you use the most? And was that RAM actually in contention for other processes?
  
  --
  The road to tyranny has always been paved with claims of necessity.
2. Re:What I have seen by Anonymous Coward · 2013-02-28 11:13 · Score: 0
  
  if you didn't ask it to do 8gb of ram's worth of work, it wouldn't. your computer, and the software on it, is actually under your control, you know.
3. Re:What I have seen by azav · 2013-03-04 03:14 · Score: 1
  
  Xcode is what I use the most. I have Safari open as well as the Activity Monitor where I monitor the Real mem, Private mem and Shared mem.
  Simply quitting Safari will often free up between 6 to 8 GB.
  
  --
  - Zav - Imagine a Beowulf cluster of insensitive clods...
Filesystems can do the same (read)... apk by Anonymous Coward · 2013-02-28 07:21 · Score: 0

Let's say a malware creates millions of 0 byte size files - not a big deal, right? Especially since they take no size themselves??
WRONG!
Eventually - they'll "bloat" any Master File Tables (ala MFT$ on Windows NT-based OS, or FAT tables on other MS filesystems - this goes for Linux, BSD types like MacOS X too) with their accounting entries!
(And, thus, do it LONG enough? No more space... & deceivingly so!)
This is a KNOWN problem in ANY FILESYSTEM OUT THERE... unless someone can correct me & prove otherwise. Thanks, IF you can, that is...
APK
P.S.=> I've always wondered WHY this was never done in malware-in-general (virus/rootkit/spyware, you-name-it/insert type here)... however, then again - today's "malware maker" isn't out to just "do mischief" as was the ones of "the halcyon days of yore/yesteryear"...
No, instead nowadays as we all mostly know here?
They WANT to "hang around" & get YOUR MONEY or personal information instead OR to 'enslave' your rig into a botnet, again, to rent out & make coins/dead-presidents with!
(So "blowing up your system" really ISN'T in their "best interests"!)
That's probably the ONLY reason why this hasn't been used as a form of attack imo...
... apk
Re:Opera is not vulnerable by jones_supa · 2013-02-28 07:25 · Score: 1

Linux Mint fanboys are another similar group.
Re:has FF fixed their memory leak? by jones_supa · 2013-02-28 07:26 · Score: 1

Ain't those FF memory leak issues already a blast from the past?
Plenty of ways to do it by jones_supa · 2013-02-28 07:32 · Score: 1

There's many, many ways to exhaust the resources through a browser. Just generate a huge document. Or sit in a recursive loop in JS until the stack fills the memory. By using imagination, various other methods can probably be found.
1. Re:Plenty of ways to do it by fatphil · 2013-02-28 22:03 · Score: 1
  
  And does nobody remember the GIF of death? (e.g. a 65535x65535 blank gif, so a relatively small file as it compresses incredibly well. And if a browser adds sanity checks for huge sizes, just make the GIF size 1 pixel less than the cut-off, duh!)
  
  --
  Also FatPhil on SoylentNews, id 863
Cautionary tale by phizi0n · 2013-02-28 07:54 · Score: 1

And this is why software homogenization is bad. Webkit is becoming the new IE6 but has far greater consequences because every smartphone is using a webkit based browser by default. Yes it also affected IE and Opera but Opera cut their core developers and are moving to Webkit so soon there will only be 3 major engines with one of them having a complete monopoly on smartphones.
1. Re:Cautionary tale by viperidaenz · 2013-02-28 08:44 · Score: 1
  
  There are 3 or 4 smartphones out there using the Trident layout engine.
2. Re:Cautionary tale by phizi0n · 2013-02-28 10:18 · Score: 1
  
  3 or 4 phones that nobody is buying. Android and IOS dominate the market and both use Webkit browsers.
3. Re:Cautionary tale by viperidaenz · 2013-02-28 11:57 · Score: 1
  
  You misread what I said. I said 3 or 4 phones, not 3 or 4 models of phones :)
Will comment by Anonymous Coward · 2013-02-28 07:56 · Score: 0

once I've cleared my cache
Allow no storage at all. by RocketRabbit · 2013-02-28 09:00 · Score: 1

Since the supercookie BS started my policy is to allow only certain sites to store cookies, and no sites are allows local database storage.
It doesn't seem to actually break any sites either.
I turned that garbage off by Anonymous Coward · 2013-02-28 10:13 · Score: 1

How to disable HTML5 DOM Storage:
http://securitygarden.blogspot.com/2010/08/how-to-disable-dom-storage-cookies.html
And everything works just fine without that garbage. Plus, I don't like cookies that are never deleted!
Re:Anonymous coward bug can fill your anus by Anonymous Coward · 2013-02-28 10:32 · Score: 0

Works on Reddit...
Business opportunity by fa2k · 2013-02-28 11:03 · Score: 1

You should try my new HTML5-enabled cloud storage site. Unlimited cheap space, really fast uploads :)
Re:has FF fixed their memory leak? by Anonymous Coward · 2013-02-28 12:26 · Score: 0

they ain't fixed yet!
standard is broken by smash · 2013-02-28 13:22 · Score: 1

Should each subdomain get 5MB of space? The standard says no
So, where is the limit supposed to apply? To all subdomains of .com? To all subdomains of .au? How about my ISP who offers me FOO.power.on.net? Should every customer's website on power.on.net have to share the same space?
Poorly thought out standard is poor.
The browsers obviously didn't put a limit in for subdomains because it doesn't make sense. You have no idea where the organisational boundary is with regards to domain vs. subdomain.
Correct solution here I guess is to limit the space your browser can consume (we're in 2013 now, maybe give it 1GB in total, adjustable) and move on.

--
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
1. Re:standard is broken by smash · 2013-02-28 13:26 · Score: 1
  
  By "didn't put a limit in for subdomains", I of course mean "didn't include subdomains in the parent's quota".
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Might explain something. by Dabido · 2013-03-02 01:45 · Score: 1

Wondering if this is what happened to me the other day. My HD started to fill up unexpectedly, and it was at a greater speed than I was downloading. It went from over 500GB to about 200GB in 30 minutes. I was looking through all the different processes trying to figure out which one was causing the issue so that I could kill it. I ended up closing Safari down and the 500GB suddenly reappeared. At the time I figured it was a bug. Just makes me wonder if it is this bug.

--
Sure enough, the cow costume was hanging up next to the superhero outfit and sailors uniform. (S,Spud)