Hacker News new | past | comments | ask | show | jobs | submit login

iOS (and Android I think, but I primarily dev iOS so that's where my knowledge is) won't let a website exceed a 5MB local storage limit without explicit user consent...so I suppose still technically possible, but not without getting the user to agree to it first.



I wonder if you could still perform a DOS by doing the following:

  - register 1000 domains
  - when the browser navigates to the first domain, store 5Mb
  - once the store has finished, redirect to the next domain
  - repeat steps 2-3 ad infinitum
Anybody know if this would work?


That could probably work!

The documentation at http://dev.w3.org/html5/spec/offline.html#disk-space states that "care should be taken to ensure that the restrictions cannot be easily worked around using subdomains", so one would really have to use different domains as you write, which sounds a bit costly.


Sub-domains should work also then. Just make a page with bunch of IFrames, each on a different, random sub-domain.

Edit: Ooops; didn't see the comment above about sub-domains. Worth a try though!


A malicious actor might write a wordpress worm to assemble a domain botnet and cross-link them all to each other such that visiting one stores 5 megs of nonsense from every site on a visitor's client.


At least on Gingerbread, the browser has quite a low global limit -- I sometimes hit it just from using Twitter and Google Search.


I mean, theoretically. But would a user actually willingly wait out this process?


They would if you do it in an iframe while letting them play a flash game. They might even attribute slowdowns to the flash game.


it doesn't need to be downloaded. it can be populated with generated data using JavaScript.


You can store up to 50 mb in appcache (instead of localstorage) in mobile safari. You can also store 50 mb in the web sql storage, but i don't know if that shares the appcache storage or is counted separately. The 5 mb limit for localstorage is because that's what the spec recommends.


localStorage and application cache are not the same thing.

localStorage is the one that prompts the user for more than 5MB, but the author was using application, which I've never seen prompt.


unless something's changed in the last couple months, localStorage prompts for any storage, and cuts you off completely at 5MB.


If you're talking bandwidth cap attacks, then you could just keep cleaning out local storage and downloading more from /dev/random perpetually.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: