HTML 5 bug allows huge data dumps on most Mac and PC Web browsers - Page 2

Quote:

Originally Posted by rednival 

I knew you had to enable local storage for Flash, but did not know about the the strict size limits.  I don't see the setting to limit size in my system preferences.  When I add a site, a size limit does not show up there.  It isn't obvious the limits you describe exists.  I am not saying you're wrong, but pointing out there's a good reason I did not know about them.  

 

You right click on the Flash element and choose Global Settings.

Quote:

Originally Posted by JBlongz 

I think this was mentioned to demonstrate how fast the data dumped to the drive.  1GB in 16secs

Not over my ISP, I'd at least need a 512Mbps connection (more for overhead probably) & at 10Mbps I am way short of that.  This is not news & doesn't really qualify as a bug.  

The fact that Mozilla is not effected does sound a little suspicious, sounds almost like a PR stunt cause they're loosing so much ground to Chrome.  Me personally I don't use Chrome so I don't have a dog in this fight but the fact that it was specifically targeted as the example on the video to me really makes the case even more that Mozilla had something to do with the discovery & advertising of this "bug".

Quote:

Originally Posted by mdriftmeyer 

 

https://developer.apple.com/library/safari/#documentation/Tools/Conceptual/SafariExtensionGuide/ExtensionSettings/ExtensionSettings.html

 

 

 

In short, in order for an exploit to be exploitable a user has to open up the storage to be made available.

I'm not sure it's that simple. I've always allowed no database storage in the security setting in Safari (5.0.5), but I was still getting content stored in my username/LIbrary/Safari/LocalStorage folder (until I emptied and locked it).

Quote:

Originally Posted by elroth 

I'm not sure it's that simple. I've always allowed no database storage in the security setting in Safari (5.0.5), but I was still getting content stored in my username/LIbrary/Safari/LocalStorage folder (until I emptied and locked it).

There's two types.  From what I can gather...

HTML5 localstorage is in the directory you looked at.

HTML5 also has database APIs, which store data in /Library/Safari/Databases, which is what I think the security setting turned off.

Originally Posted by John.B 

It should be user configurable.  Not just capped at 5MB, but opt-in, on a per site whitelist basis.

 

If a website that I visit wants to store data on my computer, they can damn well ask my permission.

Agree 100%.  Same for cookies.  Unfortunately, the general population is 1) too lazy, and 2) not smart enough to deal with this.  Web companies, data collectors, spyware, and malware in general will always be around to take advantage of any and all technologies that they can, regardless of the original intent.  Cookies were never intended to track users from site to site in perpetuity, but enterprising (amoral) companies figured out how to do it.  Flash was even more evil about it. 

Eventually, I expect to see sites require local storage, at which point it can (and will) be used just like cookies, to track users rather than provide some bandwidth savings, etc.  It's all about $.