Danger Will Robinson, Danger!!
heise Security - 01 March 2013
Developer Feross Aboukhadijeh has published a simple technique that allows a web page to fill up a hard disk without any action on the user's part. If you'd like to try out the "HTML5 Hard Disk Filler" at your own peril
, simply go to www.filldisk.com
– but beware: the script will immediately get to work and clog up your hard disk with cat images.
To do so, it uses the Web Storage technology in HTML5, which is implemented in all popular browsers. Web Storage provides a separate data storage area for each domain: in Chrome and Safari, the default is 2.5MB, in Firefox and Opera it's 5MB, and in Internet Explorer, 10MB
(a test page [see the test page link at the bottom of this post
) link provides information on a browser's applicable data limit).
Aboukhadijeh simply uses innumerable subdomains, none of which exceed the browser's set quota, to accumulate huge total amounts – a technique that is familiar, for example, from political party donations.
That this shouldn't be possible isn't just a matter of common sense, it is also stipulated in the W3C specification
("User agents should limit the total amount of space allowed for storage areas").Not all browsers can be fooled by the Hard Disk Filler: Firefox will abort the script without comment once the limit for a domain has been reached, while Opera will ask users whether they want to release unlimited storage when a limit that is defined in opera:config (Global Quota For Databases) has been reached. However, Chrome, Safari and Internet Explorer aren't as clever. Aboukhadijeh says that he has already reported the bug to Google and Applehttp://www.h-online.com/security/news/item/Web-page-fills-up-hard-disk-1814634.html
The following is from the test page and references browser versions which are a few years old but the storage amount 5120
seems to be applicable to my current version of Firefox 16. I haven't checked the other browsers Last time I've checked, Chrome 6.0.472.36 beta let me save 2600-2700 thousands of characters, Firefox 3.6.8 - 5200-5300k, Explorer 8 - 4900-5000k, and Opera 10.70 build 9013 popped a dialog, letting me give the script unlimited storage. Spec arbitrarily recommends 5 megabytes of storage, but doesn't say a thing about actual characters, so in UTF-16 you get twice less.
Doesn't actually requires adjusting. You can however change default storage size at which Opera will propose increasing limit. It is defined by Domain Quota For localStorage option. It's value is in kilobytes.
Go to about:config and search for "dom.storage.default_quota" option. It's value is in kilobytes.
AFAIK, there's no way to adjust quotas for Chrome/Safari/IE.
[/i]a test pageBroswer release dates upto early 2012