LocalStorage Exploit on Chrome, Safari (iOS and desktop), and IE
github.comThis is a repost.
My bad. I didn't see it on HN previously. I'll make sure to double check next time.
I don’t see a good way around this. If website enforce a domain limit within which all subdomains have to fit, then applications hosted on shared domains such as Heroku or AppSpot.com will squeeze each other out.
I don't use it but a friend told me that Opera handles that quite well. It allows a certain amount of space to be used by a TLD and its subdomains and if that space runs out it asks the user whether to give the site more space or to ignore any subsequent tries to write more data.
It's not that hard. The browser could simply check against the limits on the subdomain in current top window frame, not individually for all frames/iframes in the document. I guess that Firefox does something along the lines of this that makes it immune to this exploit.
A global limit on the amount of Local Storage a browser can hold would work, it's not perfect, but it'll prevent subdomains creating 1GB+ of data.
Well, supposedly Firefox is immune to it. So why not just take from that?