Jump to content



Photo

HTML5 hole in major browsers... well, except for Firefox


  • Please log in to reply
29 replies to this topic

#16 Javik

Javik

    Beware the tyrrany of those that wield power

  • 5,885 posts
  • Joined: 21-May 12

Posted 04 March 2013 - 01:04

So explain to me how it's Google's fault when Webkit (which Google do not actually make just FYI) is not the only browsing engine that is subject to the flaw?


#17 1941

1941

    Banned

  • 18,175 posts
  • Joined: 17-July 06

Posted 04 March 2013 - 01:10

So explain to me how it's Google's fault when Webkit (which Google do not actually make just FYI) is not the only browsing engine that is subject to the flaw?


You need to read the OP and maybe find an email for Feross Aboukhadijeh, he is the one that discovered it.

#18 Javik

Javik

    Beware the tyrrany of those that wield power

  • 5,885 posts
  • Joined: 21-May 12

Posted 04 March 2013 - 01:12

I did read it, most notably this bit:

has discovered a bug in Chrome, Safari (iOS and desktop), Opera, and Internet Explorer that makes it possible for a site to fill up the system’s storage space



#19 nub

nub

    Neowinian Senior

  • 2,893 posts
  • Joined: 19-November 06
  • Location: Amerika

Posted 04 March 2013 - 01:16

So explain to me how it's Google's fault when Webkit (which Google do not actually make just FYI) is not the only browsing engine that is subject to the flaw?


Wow. That's a dumb argument.

#20 Athernar

Athernar

    ?

  • 2,928 posts
  • Joined: 15-December 04

Posted 04 March 2013 - 01:30

So explain to me how it's Google's fault when Webkit (which Google do not actually make just FYI) is not the only browsing engine that is subject to the flaw?


Oh, so Webkit isn't the holy grail of openness that you made it out to be in the Opera thread after all? Or is it just because this doesn't work in Google's favour?

They ship Webkit in both binary and source form, they contribute to the Webkit project, and they were supposed to be the so-called "champions of the open web". So yes, they're just as much at fault for shipping a broken, non-standard implementation as Opera and MSFT.

#21 Javik

Javik

    Beware the tyrrany of those that wield power

  • 5,885 posts
  • Joined: 21-May 12

Posted 04 March 2013 - 01:33

Funny how people twist your words here when you aren't prepared to sell your soul to Microsoft isn't it.

Chrome is open (ish, chromium), webkit is open. Never did I claim that software being open excludes it from carrying bugs or design faults. And given the other browsing engines it effects, it's clearly something that's common practice in the industry.

#22 Athernar

Athernar

    ?

  • 2,928 posts
  • Joined: 15-December 04

Posted 04 March 2013 - 01:38

Funny how people twist your words here when you aren't prepared to sell your soul to Microsoft isn't it.

Chrome is open, webkit is open. Never did I claim that software being open excludes it from carrying bugs or design faults. And given the other browsing engines it effects, it's clearly something that's common practice in the industry.


Because supporting open web standards means you're a Microsoft supporter, amirite? (Mozilla would of been far more apt)

You argued in favour of Webkit dominance, and now you don't even have the integrity to stick to your own words. Pathetic.

#23 Javik

Javik

    Beware the tyrrany of those that wield power

  • 5,885 posts
  • Joined: 21-May 12

Posted 04 March 2013 - 01:41

Another misconception. I still think it would be good if they all worked towards the same goal instead of having to compete with each other, I also accept that no software, proprietary or open source is completely free from flaws. If you want to warble on about integrity how about putting your money where your mouth is and not twisting my words? ;)

#24 1941

1941

    Banned

  • 18,175 posts
  • Joined: 17-July 06

Posted 04 March 2013 - 01:43

Competition is good for the industry without it we would still be using rotary phones.

#25 Athernar

Athernar

    ?

  • 2,928 posts
  • Joined: 15-December 04

Posted 04 March 2013 - 01:46

Another misconception. I still think it would be good if they all worked towards the same goal instead of having to compete with each other, I also accept that no software, proprietary or open source is completely free from flaws. If you want to warble on about integrity how about putting your money where your mouth is and not twisting my words? ;)


"Flaws"

You mean ignoring the large, red-backgrounded section of the localStorage spec that specifically warns about this "flaw"? Hah!

#26 Javik

Javik

    Beware the tyrrany of those that wield power

  • 5,885 posts
  • Joined: 21-May 12

Posted 04 March 2013 - 01:49

"Flaws"

You mean ignoring the large, red-backgrounded section of the localStorage spec that specifically warns about this "flaw"? Hah!


Like Microsoft and Opera also did? I'm really not sure why you're so bent on arguing me and turning this into another opportunity to bitch about Google when almost every browser on the market has the flaw :/ It's a flaw they ALL need to fix (except Mozilla)

#27 Athernar

Athernar

    ?

  • 2,928 posts
  • Joined: 15-December 04

Posted 04 March 2013 - 02:01

Like Microsoft and Opera also did? I'm really not sure why you're so bent on arguing me and turning this into another opportunity to bitch about Google when almost every browser on the market has the flaw :/ It's a flaw they ALL need to fix (except Mozilla)


Sorry to burst your ego-bubble, but you're the one who responded to me in the first place.

And honestly, not only is "they did it too!!!11" a playground-level response, but it's also completely irrelevant. Presto and Trident aren't open source, they aren't locking down the web with proprietary vendor prefixes and they haven't had people arguing in their favour purely because of silly corporate allegiances. (in this context)

#28 +SharpGreen

SharpGreen

    Now with built-in BS detector.

  • 2,337 posts
  • Joined: 20-August 04
  • Location: North Carolina
  • OS: Ubuntu 14.04, 12.04 and Windows 8.1
  • Phone: Galaxy Nexus

Posted 05 March 2013 - 01:56

Sorry to burst your ego-bubble, but you're the one who responded to me in the first place.

And honestly, not only is "they did it too!!!11" a playground-level response, but it's also completely irrelevant. Presto and Trident aren't open source, they aren't locking down the web with proprietary vendor prefixes and they haven't had people arguing in their favour purely because of silly corporate allegiances. (in this context)

Did you forget that ALL 4 of the major engines do those stupid vendor prefixes? -o (for opera), -ms (for MSFT), -moz (for Mozilla) and -webkit (everyone else) ?

Don't get why you're bashing Webkit for something EVERYONE is doing. Why not bash them all for doing it?

#29 The_Decryptor

The_Decryptor

    STEAL THE DECLARATION OF INDEPENDENCE

  • 19,293 posts
  • Joined: 28-September 02
  • Location: Sol System
  • OS: iSymbian 9.2 SP24.8 Mars Bar

Posted 05 March 2013 - 02:22

Because Mozilla and Opera deprecate their prefixes, WebKit (and IE) never do, which leads to people relying on non-standard behavior. At least Google and Mozilla are working on removing them entirely (for new properties)

Also, people have found another vector for this, IPv6. Each IPv6 host is considered separate (so gets their own localStorage block), yet a single person can have 18,446,744,073,709,551,616 v6 addresses (Assuming they get a /64 route, even more if they get a /48)

Edit: The best way to fix this for any situation is to put a global limit on local storage of all types, the reason this attack isn't possible with plain HTTP stuff is because browsers already limit the amount of data they store there on a global basis. Saying a single site can only store 50MB or whatever isn't enough, the browser also needs to limit the total amount to 1GB or so for all sites.

#30 Athernar

Athernar

    ?

  • 2,928 posts
  • Joined: 15-December 04

Posted 05 March 2013 - 18:45

Because Mozilla and Opera deprecate their prefixes, WebKit (and IE) never do, which leads to people relying on non-standard behavior. At least Google and Mozilla are working on removing them entirely (for new properties)


This plus the fact the other vendors have been prompt in supporting unprefixed properties when a spec reaches maturity, for instance even IE10 has support for unprefixed CSS3 gradients, yet Webkit is still behind. Considering the release cycles of Trident and Webkit, that is absolutely shameful.

Also, people have found another vector for this, IPv6. Each IPv6 host is considered separate (so gets their own localStorage block), yet a single person can have 18,446,744,073,709,551,616 v6 addresses (Assuming they get a /64 route, even more if they get a /48)


Personally I'd just restrict the ability to access localStorage from an IP address, v6 or otherwise. I think having a domain as a requirement is a fair trade.



Click here to login or here to register to remove this ad, it's free!