HTML5 hole in major browsers... well, except for Firefox

[Noir Angel]

"Flaws"

You mean ignoring the large, red-backgrounded section of the localStorage spec that specifically warns about this "flaw"? Hah!

Like Microsoft and Opera also did? I'm really not sure why you're so bent on arguing me and turning this into another opportunity to bitch about Google when almost every browser on the market has the flaw :/ It's a flaw they ALL need to fix (except Mozilla)

[Athernar]

Like Microsoft and Opera also did? I'm really not sure why you're so bent on arguing me and turning this into another opportunity to bitch about Google when almost every browser on the market has the flaw :/ It's a flaw they ALL need to fix (except Mozilla)

Sorry to burst your ego-bubble, but you're the one who responded to me in the first place.

And honestly, not only is "they did it too!!!11" a playground-level response, but it's also completely irrelevant. Presto and Trident aren't open source, they aren't locking down the web with proprietary vendor prefixes and they haven't had people arguing in their favour purely because of silly corporate allegiances. (in this context)

[SharpGreen]

Sorry to burst your ego-bubble, but you're the one who responded to me in the first place.

And honestly, not only is "they did it too!!!11" a playground-level response, but it's also completely irrelevant. Presto and Trident aren't open source, they aren't locking down the web with proprietary vendor prefixes and they haven't had people arguing in their favour purely because of silly corporate allegiances. (in this context)

Did you forget that ALL 4 of the major engines do those stupid vendor prefixes? -o (for opera), -ms (for MSFT), -moz (for Mozilla) and -webkit (everyone else) ?

Don't get why you're bashing Webkit for something EVERYONE is doing. Why not bash them all for doing it?

[The_Decryptor Veteran]

Because Mozilla and Opera deprecate their prefixes, WebKit (and IE) never do, which leads to people relying on non-standard behavior. At least Google and Mozilla are working on removing them entirely (for new properties)

Also, people have found another vector for this, IPv6. Each IPv6 host is considered separate (so gets their own localStorage block), yet a single person can have 18,446,744,073,709,551,616 v6 addresses (Assuming they get a /64 route, even more if they get a /48)

Edit: The best way to fix this for any situation is to put a global limit on local storage of all types, the reason this attack isn't possible with plain HTTP stuff is because browsers already limit the amount of data they store there on a global basis. Saying a single site can only store 50MB or whatever isn't enough, the browser also needs to limit the total amount to 1GB or so for all sites.

[Athernar]

Because Mozilla and Opera deprecate their prefixes, WebKit (and IE) never do, which leads to people relying on non-standard behavior. At least Google and Mozilla are working on removing them entirely (for new properties)

This plus the fact the other vendors have been prompt in supporting unprefixed properties when a spec reaches maturity, for instance even IE10 has support for unprefixed CSS3 gradients, yet Webkit is still behind. Considering the release cycles of Trident and Webkit, that is absolutely shameful.

Also, people have found another vector for this, IPv6. Each IPv6 host is considered separate (so gets their own localStorage block), yet a single person can have 18,446,744,073,709,551,616 v6 addresses (Assuming they get a /64 route, even more if they get a /48)

Personally I'd just restrict the ability to access localStorage from an IP address, v6 or otherwise. I think having a domain as a requirement is a fair trade.