Introducing the HTML5 Hard Disk Filler™ API » Feross.org

Creating stuff is hard. Breaking stuff is easy. Thus, I take frequent breaks from creating stuff in order to break stuff.

Behold my latest hackery: FillDisk.com.Fill up your hard disk with just a single click!

How to troll using HTML5 localStorage

The HTML5 Web Storage standard was developed to allow sites to store larger amounts of data (like 5-10 MB) than was previously allowed by cookies (like 4KB). localStorage is awesome because it’s supported in all modern browsers (Chrome, Firefox 3.5+, Safari 4+, IE 8+, etc.).

The standard anticipated that sites might abuse this feature and advised that browsers limit the total amount of storage space that each origin could use. Quoting from the spec:

User agents should limit the total amount of space allowed for storage areas.

The current limits are:

• 2.5 MB per origin in Google Chrome
• 5 MB per origin in Mozilla Firefox and Opera
• 10 MB per origin in Internet Explorer

However, what if we get clever and make lots of subdomains like 1.filldisk.com, 2.filldisk.com, 3.filldisk.com, and so on? Should each subdomain get 5MB of space? The standard says no. Quoting the spec, again:

User agents should guard against sites storing data under the origins other affiliated sites, e.g. storing up to the limit in a1.example.com, a2.example.com, a3.example.com, etc, circumventing the main example.com storage limit. A mostly arbitrary limit of five megabytes per origin is recommended.

However, Chrome, Safari, and IE currently do not implement any such “affiliated site” storage limit. Thus, cleverly coded websites, like FillDisk.com, have effectively unlimited storage space on visitor’s computers.

Proof-of-concept demo

Of course, I had to make a nifty demo to show how this works. See FillDisk.com as a proof-of-concept. You can get the source code on GitHub.

Features:

• Fills up the user’s hard disk on Chrome, Safari (iOS and desktop), and IE.
• Fills up 1 GB every 16 seconds on my Macbook Pro Retina (with solid state drive)
• Tested with Chrome 25, Safari 6, IE 10.
• For 32-bit browsers, like Chrome, the entire browser may crash before the disk is filled.
• Does not work on Firefox, since Firefox’s implementation of localStorage is smarter.
• Includes a button to reclaim your disk space ;)

Let’s fix this

Here are the bug reports I filed with Google and Apple:

You can help get this issue get fixed quickly by visiting the bug report pages and chiming in (starring) so that Google and Apple prioritize this issue.

(If you liked this, you might like Freedom of Speech on the Internet.)