Comment by blfr
21 hours ago
Wait, wait, wait: browsers allow websites to store junk on my drive? They take up gigabytes of memory and still write to disk on top of this? Without even asking whether the site can use local storage?
Years and years back when laptops still had HDDs, I had a script to put the Firefox profile &c on a ramdisk and sync it on reboots so that it didn't spin up the drive constantly. I guess I should have kept doing it.
It's a sad day when Arch users are right (again) https://wiki.archlinux.org/title/Firefox/Profile_on_RAM
Browsers have an absolute insane level of relatively unchecked permissions to do whatever they want on a client.
There's a lot of effort by browser developers to scope creep the browser into essentially being an OS-agnostic tech stack (one where, conveniently, code can be shipped across the network "as necessary", removing a lot of user agency for the software being ran); Chrome being the biggest driver of this, while Firefox has an extremely weak spine in trying to limit it.
It's fairly dire and I wouldn't be surprised if there's a lot more of these side channel attacks in a lot of web APIs.
Now that we have AI, can we go back to real apps and native tech stacks? And revert the browser to a text-display interface?
Unfortunately, real apps and native tech stacks can not only write data to your SSD, they can usually write data to the user directory however they want and they can read it as well!
Browsers are at least somewhat sandboxed
2 replies →
> can we go back to real apps and native tech stacks
Please God, no. If you're worried about the invasiveness of browser-based apps, native is out of the frying pan and into the fire
It's also the technology that will allow software to run without a continuous connection to the server. If you want to break out of a world where companies own your data it's the tech that is needed.
Flash ended up getting blocked/banned by all browsers because it turned into a giant gaping security hole.
> By January 2021, all major browsers were blocking all Flash content unconditionally.
It looks like we-the-users need to be blocking any and every one of these parasites.
https://en.wikipedia.org/wiki/Adobe_Flash
I have a feeling they may have pushed for that more because it was controlled by a third party, and not the browser developers themselves.
The uncomfortable part is that each step is usually justified by a real use case
My shortcut for launching "clean" Chromium session is `chromium --user-data-dir=$(mktemp -d)` -- each launch creates a new transient profile directory under /tmp, which is itself a RAM disk. Persistent settings are achieved by setting system-wide defaults in /etc/chromium, including using system-wide managed policy JSON.
Does this maintain your browser extensions (and their settings)?
Yes, extensions can be installed into the system-wide config via entries in the manged policy JSON. Settings configured in a specific browser session naturally won't persist, though, but defaults set in an initial preferences config will be present.
Is this surprising? Websites have long been silently writing to disk, for cache, cookies, and blobs. OPFS just provides a file-system-like API for ultimately the same functionality
Yes? From the paper:
"On Chrome and Safari, OPFS supports very large files, up to 60 % of disk space, which is more than sufficient to avoid the page cache on most typical systems, as even a small disk size of 64 GB would allow us to create a 38.4 GB OPFS file."
I am indeed surprised to learn that a random website can write a file that takes up 60% of my disk. Is this obviously a capability of Web browsers?
Not only that, but they don't even provide any visibility into what's being stored. Firefox developer tools doesn't even have OPFS browser functionality. IIRC I even saw some stuff about going out of the way to make it inaccessible by the user.
> Is this obviously a capability of Web browsers?
The main capability is RCE, but it seems that they need a way to store the payload.
4 replies →
Ten movies streaming across that, that Internet, and what happens to your own personal Internet? I just the other day got... an Internet [email] was sent by my staff at 10 o'clock in the morning on Friday. I got it yesterday [Tuesday]. Why? Because it got tangled up with all these things going on the Internet commercially. [...] They want to deliver vast amounts of information over the Internet. And again, the Internet is not something that you just dump something on. It's not a big truck. It's a series of tubes. And if you don't understand, those tubes can be filled and if they are filled, when you put your message in, it gets in line and it's going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material.
> Wait, wait, wait: browsers allow websites to store junk on my drive?
Technically even a cookie is junk on your drive
> Without even asking whether the site can use local storage?
Would it be practical to ask permission for every site you visit? It would be better to periodically check the size of your home folder (where the browser profiles normally reside)
The funny part is that "put your browser profile on a ramdisk" used to sound like an obsessive performance tweak, and now it starts to look like a privacy mitigation
Hostile LLMs? In my browser? At this time of the year?
If you open an incognito window in chromium it is profile on ram
> Without even asking whether the site can use local storage?
Where did you see this in the article? I had some recollection that Firefox at least did require asking the user.
Firefox doesn't ask permission just to use localstorage, no modern browser does this. The closest thing you get is when a site wants to persist storage with "navigator.storage.persist()", which should prompt you for permission. But localstorage data usually persists anyway, and only gets deleted if the browser's storage is "under pressure", so I've never personally worked on a site or web app that had to use that API.
I don't think LocalStorage allows you to store gigs of data though, and IIRC this method depended on the Origin-Private File System API.
You mean by default or it cannot be configured that way? I believe, I had Chrome configured to not allow storage by default, only for sites I added to an exclusion list. I cant remember now, but isnt there also an option to change the default on Firefox to deny or always ask for permission?
1 reply →
Btw. as per EU law (GDPR) website owners are required to aquire informed consent for any kind of client side storage if it contains information that is personal. And it has been ruled that any information that can be used to identify returning users is such.
People think the GDPR is just about cookies, but it is agnostic of the technology used.
Maximum fines: €20 million, or 4% of the company's total worldwide annual turnover of the preceding financial year — whichever is higher.
And informed consent means they need to know what data you collect/store for which purposes and there needs to be an equally easy to select No-Option.
1 reply →
That surprised me as well.
I thought the whole point of cookies, local storage, session storage, and indexed DB were to avoid what origin private file system is doing.
You mean I could have just saved stuff as a file this whole time instead of serializing it to a string? Why didn't we just do this from the start?
It's still sandboxed and deleted when the user clears private data for the website.
The main advantage it has over things like cookies, local storage, etc. is that it provides a byte-oriented, random access API and as a result, you can use third-party libraries like SQLite that expect a file API. Which is more important now that we have tools like Emscripten and WebAssembly that let you use existing C libraries on the web. At the same time it has security guarantees such that webpages cannot write arbitrary files that will be viewed and executed by the user.
Also, in theory you could use this side-channel attack on localStorage and sessionStorage. Its only requirement is that it needs an API that writes to disk where you can measure the latency of a synchronous call, since the fingerprinting is just measuring the interference pattern between disk accesses the attacking website does vs. disk accesses that other websites do.
And Web Developers want more and more OS features built into the browser. This is why I'm against it. Features are only ever abused.