Abusing Your Browser: Infinitely Large Favicons

In web world, there are a lot of issues with how things fundamentally work. One of these issues is that there is no way to tell the size of something you want to download until you've downloaded it. This isn't a huge problem, but does lead to some funny behaviors. This issue means that that memory for web pages are allocated during run-time, since there's no indication how many dozens of megabytes will be needed when reading a simple page of text. If your webpages are ridiculously bloated already, please stop reading now. I don't want to give you any more ideas.

To cause mischief, I whipped up a little golang program that is basically a blank webpage except it has an infinitely large favicon. Here's the code. Note. If you're writing an application that downloads arbitrary URLs, watch out for people like me.


Browsers try to be nice and make your browser experience beautiful. Most of them will fetch the favicon.ico automatically, whether or not the page specifies where the favicon is. Most will send off a GET request automatically to /favicon.ico when loading your page.

It's really amazing that Chrome and Safari don't have a sanity check for the size of a favicon. When I load the root of this website on safari, the favicon automatically gets fetched...fetched...fetched and loaded directly into RAM until the tab crashes and is reloaded, until the OS crashes, or until the machine grinds to a halt. The video below shows the most elagant failure I saw during my testing of this behavior.

This regularly crashed my entire OS in chrome in much more dramatic fashion than the above video, but has become more flaky in recent months. I tried this on three different macbooks today and OS X would crash consistently on my 8gb RAM rMBP from 2013 when loading this page, but only after I disabled memory compression. Crashing the OS used to be a sure thing but I'm guessing some of the issues this was causing ended up in front of someone at Apple, from telemetry of crash reports. If you decide to try to crash stuff, I recommend doing this on machines with smaller amounts of RAM. If you run my code I would love to hear your results about which operating systems crash and which do not.

Recommendations

This raises the interesting question of what should be done about this, if anything? Should browser's blindly trust infinitely large files? The HTML spec puts no limit to the size of a favicon. Who is to say how big a favicon should be? What's this matter anways?

I believe in most other countries, that aren't the United States, people pay their internet usage by bandwidth used. This behavior could be used to raise the cost of being a citizen of the web in those countries, which is bad.

I recommend adding an artifical max to the size of a favicon. I found a big list of high alexa rating sites and cycled through about 100 of them. A ton of favicons were bigger than 50k, which surprised me, but none were larger than a mb. I expect sites who are a part of the alexa top 100 to have compact favicons, and lower rated sites that have not optimized as much to have some very large favicons. Maybe adding a favicon size limit of 3mb would be useful without causing too much harm.



ejj, Jan 2016