Closed Bug 821659 Opened 9 years ago Closed 9 years ago

LocalStorage NS_ERROR_DOM_QOUTA_REACHED without reaching it on subdomains

Categories

(Core :: DOM: Core & HTML, defect)

18 Branch
x86_64
Windows 7
defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: zach.spr, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Build ID: 20121212073002

Steps to reproduce:

Fill up localStorage to its limit on 1.example.org at which point it throws NS_ERROR_DOM_QUOTA_REACHED.

Add a key to localStorage on 2.example.org


Actual results:

Immediately throws NS_ERROR_DOM_QUOTA_REACHED on 2.example.org despite localStorage having no keys in it.

This does not happen on Chrome. You can fill them up to the limit on both domains.


Expected results:

It should work the same as on Chrome.  A limit for each domain, not a shared limit between the domain and all subdomains.

I think this may be a design decision instead of a bug, but it's an extremely crippling one.
I believe that the localStorage limits are there because of memory(the entire localStorage is loaded when the web page is loaded on the domain, so a 50mb localStorage would use up a lot of memory) and speed restrictions.  The way the limit works in Firefox seems to imply that it's to protect against the hard drive being filled up, or it's simply a bug.

If malicious filling up the hard drive is a concern, the restriction should be that a warning is given when a subdomain/domain tries to use up a large amount of storage that is culminated across sub domains, giving you the option to block it or allow it then.  And being able to view/delete the localStorage for each subdomain like you do for cookies would alleviate that issue without crippling possible web applications.
Component: Untriaged → DOM
Product: Firefox → Core
> The way the limit works in Firefox seems to imply that it's to protect against the hard
> drive being filled up

That's one of the reasons, yes. Our quota is per eTLD+1, precisely so sites can't get around the restriction by just sharding across subdomains.
This is quite intentional. We have the quota limit for a reason, if sites can just work around the quota limit then then the limit is not working.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
But, as per the spec, the limit on localStorage was probably suggested due to memory, not due to disk. "User agents may impose implementation-specific limits on otherwise unconstrained inputs, e.g. to prevent denial of service attacks, to guard against running out of memory, or to work around platform-specific limitations."
It seems like Firefox's implementation is the wrong way to prevent people from using this maliciously, when other browsers aren't doing so.  Especially so when there is no option to increase the limit like in Safari, and it can limit web apps.
Also, 50mb disk is allowed by indexeddb, with a prompt to allow exceeding it.  Why does Mozilla think using unlimited disk non-maliciously by indexeddb is okay, but not localStorage which is better supported?
Because localStroage is a synchronous API, we are forced to keep all of the data in memory. So we have the disk-size limit because it's the only way to have a memory-size limit.

IndexedDB doesn't have the same problem because it's asynchronous, so we can load just the requested parts into memory as they are requested.
Right, but the data is only in memory when the domain is loaded.  That's why there is a 5mb limit per domain.  You make it sound like every localStorage for every site you've ever visited is loaded into memory when a page that has localStorage isn't.

Firefox, however, has the quota used for all subdomains, as pointed out.

For example, you can fill up the quota on 1.example.org in Chrome, and visit 2.example.org, and the memory is not allocated for the other subdomain's localStorage.

The only possible malicious usage is to use up a lot of disc, but that could also be done by having many domain names anyway.  If Mozilla really wants to prevent such abuse, they should warn people when a lot of disc is being used in total and have a list like with cookies showing the usage for each domain.  Chrome does this, showing localStorage in the same area as cookies, and how much is used for each domain.
The concern is that people will create a page from website.com which then opens iframes to 1.website.com, 2.website.com, 3.website.com etc. That way we are forced to keep the data for all those websites in memory, and the websites can use document.domain to read data from all those domains synchronously.
Setting aside whether your policy is a good idea for a moment, how do developers who have got into this jam get out of it?

Say I have a site with thousands of subdomains, and one of those subdomains is using all the localStorage, leaving none for any of the others. How can I clear that storage? Does the user have to re-visit each subdomain and hope it will release the localStorage? What if they no longer exist?

It seems that if there is a way to set localStorage across all subdomains, there should be a way to clear it across all subdomains.
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.