[whatwg] [Web-storage] subdomains / cooperation and limits

[Ian Hickson]

On Mon, 17 Sep 2012, Brian Kardell wrote:
>
> Ian, you hit the nail on the head with the text section that raised the 
> issue but I still am not entirely sure that I understand... Doesn't this 
> imply that in a case like *.wordpress.com would have a (suggested) limit 
> of 5mb combined for all of its tons and tons of subdomains (at least 
> without additional/constant prompting)?

It wouldn't be "constant" prompting, but yes, the spec does suggest that 
if you visit a dozen WordPress-hosted blogs and they all try to load a 
bunch of content onto your machine, you should probably have to give 
consent or at least be aware of what's going on.


> There are a whole lot of what I would call "common" examples like where 
> it seems (to me anyway) unintuitive given the regularity with which this 
> kind of case would happen to think that that is what is actually 
> proposed.

What's the alternative? Allowing any site to overload your machine with 
infinite amounts of content isn't really a viable solution.


> I can understand blocking access to that data pretty easily, but with 
> postMessage, being in the same top-level domain doesn't even matter so 
> it seems that one could just as easily "subvert the limit" that way.

The difference is that getting a new domain costs money, whereas getting a 
subdomain does not. So the cost of attacking someone with subdomains is 
much lower than with domains.


> I think it isn't really implemented that way anywhere though, is it?
> That is, do browsers really share the limit across subdomains like 
> that...

If they do not, they are likely vulnerable to this kind of griefing.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'