Creating stuff is hard. Breaking stuff is easy. Thus, I take frequent breaks from creating stuff in order to break stuff.

Behold my latest hackery: Fill up your hard disk with just a single click!

How to troll using HTML5 localStorage

The HTML5 Web Storage standard was developed to allow sites to store larger amounts of data (like 5-10 MB) than was previously allowed by cookies (like 4KB). localStorage is awesome because it’s supported in all modern browsers (Chrome, Firefox 3.5+, Safari 4+, IE 8+, etc.).

The standard anticipated that sites might abuse this feature and advised that browsers limit the total amount of storage space that each origin could use. Quoting from the spec:

User agents should limit the total amount of space allowed for storage areas.

The current limits are:

  • 2.5 MB per origin in Google Chrome
  • 5 MB per origin in Mozilla Firefox and Opera
  • 10 MB per origin in Internet Explorer

However, what if we get clever and make lots of subdomains like,,, and so on? Should each subdomain get 5MB of space? The standard says no. Quoting the spec, again:

User agents should guard against sites storing data under the origins other affiliated sites, e.g. storing up to the limit in,,, etc, circumventing the main storage limit.

A mostly arbitrary limit of five megabytes per origin is recommended.

However, Chrome, Safari, and IE currently do not implement any such “affiliated site” storage limit. Thus, cleverly coded websites, like, have effectively unlimited storage space on visitor’s computers.

Proof-of-concept demo

Of course, I had to make a nifty demo to show how this works. See as a proof-of-concept. You can get the source code on GitHub.


  • Fills up the user’s hard disk on Chrome, Safari (iOS and desktop), and IE.
  • Fills up 1 GB every 16 seconds on my Macbook Pro Retina (with solid state drive)
  • Tested with Chrome 25, Safari 6, IE 10.
  • For 32-bit browsers, like Chrome, the entire browser may crash before the disk is filled.
  • Does not work on Firefox, since Firefox’s implementation of localStorage is smarter.
  • Includes a button to reclaim your disk space ;)

Let’s fix this

Here are the bug reports I filed with Google, Apple, Microsoft, and Opera:

  • Chromium bug report
  • Apple bug report (on an unoffical site, since Apple doesn’t acknowledge their bugs publicly. So lame.)
  • How do I file a bug on IE? Their [bug report]( page is broken.

    Microsoft bug report (requires login)

  • Opera bug report (bug ID: DSK-383073, it’s private) - fills to 75MB in my testing, which isn’t so bad.

You can help get this issue get fixed quickly (on Chrome at least) by visiting the bug report pages and chiming in (starring) so that Google prioritizes this issue.

Update (Mar 13, 2013)

In the news:

Answers to some common questions I’ve been getting:

  • How did you find this HTML5 weakness?

    To be clear, this is not an issue with HTML5, so calling it an “HTML5 weakness” is not accurate. It’s a bug in the way that most browsers (Chrome, Internet Explorer, and Safari) have implemented the HTML5 Web Storage standard. It’s the fault of the browsers, not the HTML5 spec.

    I usually don’t spend my time actively looking for security bugs – I just frequently run into them while programming. In the case of the localStorage bug, I found it while working on a project that utilizes localStorage. I was curious if there was some way to store more than 2.5-10 MB using the API, and using multiple site “origins” by creating tons of subdomains was the first thing that came to mind.

  • You mention Firefox uses localStorage and that it’s better but is there a reason for this?

    Firefox simply places a 10 MB cap on the amount of space that any domain can store using localStorage. So, origins like and, etc. must all share 10MB of space. Making new subdomains doesn’t give you more space.

  • Have you had any followup since leaving the bug reports for Google, Opera, Apple and Microsoft?

    903 people starred the Chromium bug report I created, making it the 9th most starred bug in all of Chromium. The Chrome devs have responded and are working on a fix, though it’s unclear when it will be ready. Apple has not responded, because, well, they’re Apple. Microsoft has responded that they “will be investigating this issue further”.

    So, it seems that the issue will be fixed at some point, though it doesn’t appear to be a top priority for browser vendors at the moment.

You can discuss, upvote, or poke fun at this post over at Hacker News.

(If you liked this, you might like Freedom of Speech on the Internet.)

Thanks for reading! RSS Feed Icon

Feross Aboukhadijeh

I'm Feross, an entrepreneur, programmer, open source author, and mad scientist.

I maintain 100+ packages on npm. All my code is freely accessible on GitHub and funded by my supporters. I now offer a support contract for companies and teams.

I build innovative projects like WebTorrent, a streaming torrent client for the web, WebTorrent Desktop, a slick torrent app for Mac/Windows/Linux, and StandardJS, a JavaScript style guide, linter, and automatic code fixer.

I also work on fun projects like BitMidi, a free MIDI file database, Play, a music video app, and Study Notes, a study tool with college essay examples.

If you enjoyed this post, you should follow me on Twitter.

Or, sign up to get an email whenever I write a post: