HTML5 Flaw Crashes Major Browsers

Posted by John Onwuegbu | Saturday, March 02, 2013 |

The emerging web standard, HTML5, is perhaps generating a whole lots of attention, especially from developers standpoint. And recently, a San Francisco based web developer, Feross Aboukhadijeh exposed a flaw in HTML5 Web Storage Standard implementation on Chrome, Apple Safari and IE, that could allow maliciously crafted websites to crash the browser by filling up the Hard Disk with junk data.

HTML5 Web Storage Standard defines how websites store larger amount of data than was previously allowed by cookies on a web browser.

The standard LocalStorage attribute allows the current limit of 2.5MB per origin in Google Chrome, 5MB per origin in Firefox and 10MB per origin in Internet Explorer, in anticipation that websites will want to abuse the feature.

The loophole follows when cleverly crafted website employ subdomains to circumvent the storage limit as explained by Feross in his personal blog, against the World Wide Web Consortium (W3C) warning that "user agents should guard against sites storing data under the origins other affiliated sites, e.g. storing up to the limit in a1.example.com, a2.example.com, a3.example.com, etc, circumventing the main example.com storage limit".

Google Chrome, Safari and IE obviously failed to implement  the "affiliate site" storage limit, as accounted to why the trio are affected by the flaw. While, Mozilla Firefox is impregnable to the flaw as Firefox LocalStorage implementation is smarter.

However, argument are rife that the actual implementation across board may affect such sites like Github Pages, with individual user's page as subdomain.