Anatomy of a “feature” – what happens if a website grabs all your disk space?


HTML5 allows websites to save data on your hard disk for the next time you visit.

Much like cookies, only different.

The cookie system in HTTP has two big disadvantages compared to what’s generally referred to in HTML5 as Web Storage.

Firstly, cookies are wastefully sent in the HTTP headers of every request made back to the server that set the cookie in the first place.

Secondly, cookies are limited in size, mainly because of the first reason, to about 4KBytes.

In the modern, data-rich web, that doesn’t leave much room to manoeuvre.

The Web Storage system, however, is driven by JavaScript, not by HTTP headers, and is actually surprisingly simple to use.

You just add attributes to the localStorage JavaScript variable inside the browser, and read them back later.

The official W3C standards document offers an example like this:

<p>You have viewed this page
  <span id="count">an untold number of</span> 
  if (!localStorage.pageCount) {
     localStorage.pageCount = 0;
  localStorage.pageCount = parseInt(localStorage.pageCount) + 1;
  document.getElementById('count').textContent = localStorage.pageCount;

The value localStorage.pageCount is used to keep track of how many times you have visited the page, even from one browser session to another, and setting the document.getElementById().textContent attribute makes the counter appear in the page itself.

For security reasons, each domain gets its own localStorage object, so that data can’t leak from one site to another, and for safety reasons, the size of each object is limited.

→ Web Storage also comes in the form of sessionStorage. Each browser window gets its own sessionStorage variable, and, as the name implies, all the values in it are lost when the session ends.

Each domain gets somewhere between 2.5MBytes (Chrome) and 10MBytes (IE) of localStorage to use.

However, as blogger Todd Anglin noted back in 2011:

Some browsers have exposed a workaround that grants "" and "" their own 5MB LocalStorage quotas.

Anglin saw this as a viable way around the quota limit, but also pointed out that:

[this] is specifically frowned upon in the HTML5 Web Storage spec. Browser authors are asked to prevent multiple sub-domains of a single site from being given a bigger localStorage pool.

Anglin therefore advised against this bodge to boost your storage size because it was “likely to break in future.”

But Stanford student Feross Aboukhadijeh recently found that for most mainstream browsers, Anglin’s future still lies ahead of us.

You can still bag extra localStorage using the multiple sub-domain trick.

Indeed, Aboukhadijeh created a web page by means of which you can inflict this trick on yourself, and the results are dramatic.

He can quickly grab gigabytes of your disk space by getting you to visit his one-off domain.

That might not sound like much of a Denial of Service (DoS) attack, but it’s not supposed to happen, for obvious reasons.

And that’s what really matters: that browsers (and network programmers in general) don’t always take specifications seriously.

By the way, Firefox users can relax: your browser already applies a 5MByte limit at the domain level.

Aboukhadijeh says he’s reported this bug, together with his practical demonstration of how easy it is to abuse, to the other browser vendors.

Let’s see how long they take to respond, if indeed they consider it a problem worth fixing.