LocalStorage Exploit on Chrome, Safari (iOS and desktop), and IE (opens in new tab)

(github.com)

14 pointscrynix13y ago8 comments

8 comments

TazeTSchnitzel13y ago

This is a repost.

itafroma13y ago

Original: http://news.ycombinator.com/item?id=5297229

crynixOP13y ago

My bad. I didn't see it on HN previously. I'll make sure to double check next time.

asimjalis13y ago

I don’t see a good way around this. If website enforce a domain limit within which all subdomains have to fit, then applications hosted on shared domains such as Heroku or AppSpot.com will squeeze each other out.

ne0phyte13y ago

I don't use it but a friend told me that Opera handles that quite well. It allows a certain amount of space to be used by a TLD and its subdomains and if that space runs out it asks the user whether to give the site more space or to ignore any subsequent tries to write more data.

M4v3R13y ago

It's not that hard. The browser could simply check against the limits on the subdomain in current top window frame, not individually for all frames/iframes in the document. I guess that Firefox does something along the lines of this that makes it immune to this exploit.

csmattryder13y ago

A global limit on the amount of Local Storage a browser can hold would work, it's not perfect, but it'll prevent subdomains creating 1GB+ of data.

kdude6313y ago

Well, supposedly Firefox is immune to it. So why not just take from that?

1 more reply

j / k navigate · click thread line to collapse