HTML5 Exploit
March 1, 2013 4:02 PM   Subscribe

FillDisk -- HTML5 permits websites to store considerable data on your local disk. It was originally expected that the browsers would impose a ceiling on this, but IE, Opera, Safari, and Chrome do not. A properly coded HTML5 site can completely fill your hard drive.

Firefox handles this properly.
posted by Chocolate Pickle (28 comments total) 12 users marked this as a favorite
 
A properly coded HTML5 site can completely fill your hard drive.

You and I seem to have different notions of propriety regarding web sites.
posted by aubilenon at 4:05 PM on March 1, 2013 [16 favorites]


Firefox handles this properly.

Hooray for no webkit monoculture.
posted by mhoye at 4:05 PM on March 1, 2013 [11 favorites]


Someone somewhere wished s/he could cache the whole Wikipedia to save bandwidth?
posted by Iosephus at 4:07 PM on March 1, 2013 [1 favorite]


Not exactly a place you want to visit on your phone. Right before misplacing it for a couple of hours.
posted by phaedon at 4:13 PM on March 1, 2013


Hooray for no webkit monoculture.

Umm... IE and Opera? I know Opera is moving to WebKit, but that version hasn't been released yet.
posted by sbutler at 4:14 PM on March 1, 2013


Hooray for no webkit monoculture.

WebKit is just rendering. I'm pretty sure it would be possible for Safari to handle this correctly while Chrome didn't, or vice-versa. WebKit ain't the entirety of a browser.
posted by GuyZero at 4:28 PM on March 1, 2013 [4 favorites]


sbutler: "Hooray for no webkit monoculture.

Umm... IE and Opera? I know Opera is moving to WebKit, but that version hasn't been released yet
"

Opera is moving to WebKit? That's interesting, I wonder what their value proposition will be. Well, I've always kind of wondered about Opera's value proposition, to be honest, but even more now.
posted by Joakim Ziegler at 4:28 PM on March 1, 2013 [1 favorite]


If you want some actual information about this, all browsers do have limits on a single domain name. What some browsers have messed up is that they're not counting subdomains of a primary domain towards that primary domain's limit. So it's an easy fix, and it really does take a malicious site to make this happen.
posted by Llama-Lime at 4:28 PM on March 1, 2013 [7 favorites]


"Oh hai there... Filling your hard disk with lots of cats...", and Trololololo as background music? That's a great site all by itself, exploit or no.
posted by Joakim Ziegler at 4:30 PM on March 1, 2013 [1 favorite]


Opera is moving to WebKit?

Yep. I remember being critical of Apple early on for choosing to branch KHTML for their browser, instead of supporting and integrating Gecko. At the time Gecko was much more feature complete, and I felt that by the time Apple was done beefing up KHTML it would be just as bloated as Gecko.

Obviously I was wrong. Here we are today and WebKit is everywhere, especially in the mobile market. And Gecko has abandoned embedders.
posted by sbutler at 4:35 PM on March 1, 2013


Thanks, Llama-Lime.
posted by Blazecock Pileon at 4:36 PM on March 1, 2013


Finally, IE6/IE7 are immume from an exploit
posted by mattoxic at 4:45 PM on March 1, 2013 [32 favorites]


I've always kind of wondered about Opera's value proposition

I am someone who has money and would like to pay someone to port their browser to my specific hardware platform. Opera tends to get that money. Also, ads.
posted by GuyZero at 4:46 PM on March 1, 2013 [1 favorite]


WebKit is just rendering. I'm pretty sure it would be possible for Safari to handle this correctly while Chrome didn't, or vice-versa. WebKit ain't the entirety of a browser.

WebKit has its own scripting engine, called SquirrelFish or Nitro, but Chrome doesn't use it. Chrome has its own, called "V8". The other two major browsers also use their own scripting engines.
posted by zixyer at 4:47 PM on March 1, 2013


Also, there may be plenty of legit reasons to think that WebKit is indeed an unhealthy monoculture but this in't one of them.

And that was the hypothetical "I" back there - I don't actually have any money, for anything.
posted by GuyZero at 5:07 PM on March 1, 2013 [2 favorites]


HTML 5. Coming Summer 2033.
posted by nowhere man at 5:21 PM on March 1, 2013 [6 favorites]


That's interesting, I wonder what their value proposition will be.

Probably much the same as before. To render webpages off-device as they do - via "Opera Turbo", a pretty killer feature if you're on a dodgy network or portable device - they proxy the rendering process and much of the interaction on their own servers. The upshot of that is that they have a fantastic amount of insight into what the Web looks and acts like for mobile users that nobody else has.

The switch to WebKit is probably going to (well, definitely is, I know that) cost them a bunch of really good web-technology developers, but their client-side rendering engine has never been their primary value.
posted by mhoye at 5:24 PM on March 1, 2013


So it's an easy fix, and it really does take a malicious site to make this happen.

That's what I meant, though, about "hooray for no webkit monoculture". Misinterpretations or misreadings of the spec have historically had a horrible habit of becoming de-facto standards, broken or not; we've only really emerged from those dark ages in the last two years. What would the cost be, if instead of being the easy fix it is now, a move to fixing it would have happened three years from now and basically broken the web?
posted by mhoye at 5:28 PM on March 1, 2013


This bug is amusing as a case where the spec left something bad unspecified, so I get the reason for mentioning it, but it's also worth noting how many worse bugs are announced every week, e.g. the big pile of them in Firefox announced here: Bulletin (SB13-056) Vulnerability Summary for the Week of February 18, 2013 (Original release date: February 25, 2013).
posted by Monsieur Caution at 7:13 PM on March 1, 2013


> What would the cost be, if instead of being the easy fix it is now, a move to fixing it would have happened three years from now and basically broken the web?

Because there is no value proposition to you, as a malicious developer, to run sites that fuck trash random computers, unless you have a pretty maladjusted sense of lulz. So the exploit might appear in the wild here and there but doesn't seem likely to propagate in the way a useful security compromise would, even if the latter is more technically difficult.
posted by ardgedee at 8:02 PM on March 1, 2013


As threats go, this is awfully minor. Also patching the subdomain loophole really isn't sufficient; an attacker could do the same sort of thing with redirects to new second level domains.
posted by Nelson at 8:46 PM on March 1, 2013


Ardgedee, I think the point was that some site might take advantage of this hole in order to allocate two or three times the amount of storage that it's really supposed to, not as a hack but simply because it needs it. If, then, the browsers were all fixed to not permit it, that site would cease working.

Back when Netscape was busy ignoring all the standards and doing whatever the hell it wanted to with Navigator, a fair number of things like that which Nav did but which weren't really correct ended up becoming "standard" in exactly that way.
posted by Chocolate Pickle at 9:13 PM on March 1, 2013 [1 favorite]


Opera is moving to WebKit? That's interesting, I wonder what their value proposition will be. Well, I've always kind of wondered about Opera's value proposition, to be honest, but even more now.
There's a lot more to browser software than just the rendering engine. Opera has its own JS engine, plugins/extensions, and other features. Saying it doesn't have a value proposition because it's on webkit is a bit like saying there's no point in using using Apple products now that they're built on Intel hardware.
posted by deathpanels at 10:44 PM on March 1, 2013 [1 favorite]


Ah, I see it now...Metafilter is just mathowie's cloud backup system!
posted by Philosopher Dirtbike at 11:39 PM on March 1, 2013 [1 favorite]


I had to stop using Opera after watching an HTML5 video which pushed it (Opera) into "Kiosk" mode. I just couldn't get it out again! I now use Chrome.
posted by JtJ at 3:45 AM on March 2, 2013


The article's claim that Safari has no storage limitations does not gel with my experience. I've been using the Amazon Cloud Reader, and there Safari has dutifully required me to allow the Reader to use more disk space than the standard allowance.
posted by bouvin at 9:39 AM on March 2, 2013


It's not a question of not having limits. It's a question of not having an aggregate limit across all sub domains. That Amazon doesn't exploit that is not a sign that Safari is invulnerable.
posted by jeffamaphone at 10:11 AM on March 2, 2013


If you think Safari isn't vulnerable, go run the app!
posted by Chocolate Pickle at 10:46 AM on March 2, 2013


« Older How Pegging Can Save the World   |   Pretty Little Demons Newer »


This thread has been archived and is closed to new comments