finds.dev← search

// the find

feross/filldisk.com

★ 917 · HTML · updated Oct 2019

:floppy_disk: Masterful trolling with HTML5 localStorage

A 2012 proof-of-concept exploit by Feross Aboukhadijeh demonstrating that Chrome, Safari, and IE ignored the HTML5 spec's recommendation to enforce localStorage quotas across subdomains. By spinning up iframes pointed at numbered subdomains, it could fill a hard drive at ~1 GB per 16 seconds. It was filed as a bug report against all three browsers, not just published for laughs.

The subdomain iframe trick is genuinely clever — each origin gets its own 5-10 MB quota, so 1000 subdomains gives you 5-10 GB with no permissions prompt. The README links to the actual browser bug reports filed with Chromium, Apple, and IE, so this was legitimate security research with a trolling wrapper. Firefox was already handling this correctly per spec, which the README calls out honestly.

It's a museum piece — last touched in 2019 and the underlying browser bugs have been fixed for years, so the demo almost certainly does nothing on any modern browser. There's no code worth studying: the interesting logic is a few lines of iframe injection in index.js, surrounded by cat photos and a trololo MP3. No tests, no abstraction, nothing transferable to another project. Star count is entirely nostalgia and Feross's reputation, not technical merit.

View on GitHub → Homepage ↗

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →