HTML5 lets code run in your browser. Code often wants to store data. A student developer has demonstrated how a poor implementation of one small part of the HTML5 standard means it is quite easy to build a site that fills your hard drive while displaying pictures of cats.
Feross Aboukhadijeh created the FillDisk.com site to demonstrate how the HTML5 Web Storage Standard isn’t properly supported in Chrome, Internet Explorer and Safari. Visit the site and your drive will rapidly fill with data while the site distracts you with cat images. (There’s a stop button which erases the unwanted data, but if you don’t get in fast enough the browser can crash.)
So what’s going on? The standard allows for storage of a larger amount of data than is possible with cookies: useful if you want to build more complex apps. However, it also recommends setting an upper limit on this storage at user agent (browser) level. IE permits 10MB per site, Firefox and Opera allow 5MB, and Chrome allows 2.5MB.
The standard also specifies that browsers should check to make sure that this total is calculated to include both subdomains and top-level domains (for example, sneaky.lifehacker.com.au as well as lifehacker.com.au). However, it seems that only Firefox and Opera currently do this, leaving Chrome, Safari and IE all vulnerable to HTML5 sites storing potentially limitless amounts of data through the use of subdomains.
The demo which Aboukhadijeh created is relatively harmless, but I suspect his source code will be utilised by a lot of pranksters before the browser developers fix their implementation.