Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Pretty clever. This appears to be in the same vein as that trick where you could use popups to spawn more popups, and by the time the user realized what was going on their computer was completely unresponsive. (fixed with popup blocking in any browser in the last decade.)

Also, Fill my Disk: http://www.filldisk.com/ (local storage bomb)

Implementing limits on the number of cookies would seem to be the natural solution to the problem in the OP, although I doubt this problem is "worth" solving in practice since most people seem to be using cookies to do what they were meant to do.



> This appears to be in the same vein as that trick where you could use popups to spawn more popups, and by the time the user realized what was going on their computer was completely unresponsive. (fixed with popup blocking in any browser in the last decade.)

I recently visited a site that did something similar but was still effective. It opened up mailto: URI's in a loop and since I had Thunderbird set up to handle the links, it practically killed my X session.


Interesting. Quick test result: looks like flipping network.protocol-handler.external.mailto in the firefox config to false prevents this (of course, in the process, prevents action on mailto links).

There's an open bug in regards to this issue: https://bugzilla.mozilla.org/show_bug.cgi?id=566893


It shouldn't be possible to launch mailto links without an interactive prompt; if it is, please file a bug on the browser.


Simple proof of concept: http://jsfiddle.net/rVxkv/

This opens 2 Thunderbird windows in Firefox 26 but only one in Chromium 31.0.1650.63.

edit: I totally agree it shouldn't be possible :)


I've never seen a prompt to open a mailto: link. Where is it specified there should be one?


I think by "interactive prompt" he means "user interaction".


I suppose I can see an argument for popping something up before firing the schema handler when something sets location.href to a mailto: URL, but that seems like the sort of thing where you'd really want to wait for evidence that it's a problem for anyone before you implement it; it both annoys the user and complicates your code, neither of which is desirable in the absence of real provocation.


not amount, but total Length of the Cookie header. Otherwise number of cookies will be ~5.

Yes I recall filldisk.com, but that one doesn't seem harmful to user (he knows where it comes from & exploit is quite slow).

Cookie bomb can "bomb" some exact path, so the trick has many uses. E.g. you can "block" /dont_like_this_post on blogspot entirely, while the rest of Blogger will work.


The extra level of subdomain as proposed by Homakov, seems like a much more worthwhile fix.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: