It would be fun to execute this against a mobile device, where storage is expensive. 2GB might be all that is required to choke the device.
A neat client-side DDoS :)
Heh, you could easily DoS a Canadian home internet user (not mobile) by transferring a massive amount of data behind their back. So many people here are stuck with 25GB/mo limits.
I think Opera Mobile shouldn't have this cache problem either, similar to my comment about the desktop version. The default cache limit in Opera Mobile is ~2 MB.
I _believe_ that both quotas can be increased after confirmation from the user, but I haven't made any tests.
iOS (and Android I think, but I primarily dev iOS so that's where my knowledge is) won't let a website exceed a 5MB local storage limit without explicit user consent...so I suppose still technically possible, but not without getting the user to agree to it first.
I wonder if you could still perform a DOS by doing the following:
- register 1000 domains
- when the browser navigates to the first domain, store 5Mb
- once the store has finished, redirect to the next domain
- repeat steps 2-3 ad infinitum
The documentation at http://dev.w3.org/html5/spec/offline.html#disk-space states that "care should be taken to ensure that the restrictions cannot be easily worked around using subdomains", so one would really have to use different domains as you write, which sounds a bit costly.
A malicious actor might write a wordpress worm to assemble a domain botnet and cross-link them all to each other such that visiting one stores 5 megs of nonsense from every site on a visitor's client.
You can store up to 50 mb in appcache (instead of localstorage) in mobile safari. You can also store 50 mb in the web sql storage, but i don't know if that shares the appcache storage or is counted separately. The 5 mb limit for localstorage is because that's what the spec recommends.