alt Hacker NewsWait, wait, wait: browsers allow websites to store junk on my drive? They take up gigabytes of memory and still write to disk on top of this? Without even asking whether the site can use local storage?
Years and years back when laptops still had HDDs, I had a script to put the Firefox profile &c on a ramdisk and sync it on reboots so that it didn't spin up the drive constantly. I guess I should have kept doing it.
It's a sad day when Arch users are right (again) https://wiki.archlinux.org/title/Firefox/Profile_on_RAM
Replies
My shortcut for launching "clean" Chromium session is `chromium --user-data-dir=$(mktemp -d)` -- each launch creates a new transient profile directory under /tmp, which is itself a RAM disk. Persistent settings are achieved by setting system-wide defaults in /etc/chromium, including using system-wide managed policy JSON.
Is this surprising? Websites have long been silently writing to disk, for cache, cookies, and blobs. OPFS just provides a file-system-like API for ultimately the same functionality
> Wait, wait, wait: browsers allow websites to store junk on my drive?
Technically even a cookie is junk on your drive
> Without even asking whether the site can use local storage?
Would it be practical to ask permission for every site you visit? It would be better to periodically check the size of your home folder (where the browser profiles normally reside)
The funny part is that "put your browser profile on a ramdisk" used to sound like an obsessive performance tweak, and now it starts to look like a privacy mitigation
Hostile LLMs? In my browser? At this time of the year?
If you open an incognito window in chromium it is profile on ram
> Without even asking whether the site can use local storage?
Where did you see this in the article? I had some recollection that Firefox at least did require asking the user.
That surprised me as well.
I thought the whole point of cookies, local storage, session storage, and indexed DB were to avoid what origin private file system is doing.
You mean I could have just saved stuff as a file this whole time instead of serializing it to a string? Why didn't we just do this from the start?
And Web Developers want more and more OS features built into the browser. This is why I'm against it. Features are only ever abused.
Browsers have an absolute insane level of relatively unchecked permissions to do whatever they want on a client.
There's a lot of effort by browser developers to scope creep the browser into essentially being an OS-agnostic tech stack (one where, conveniently, code can be shipped across the network "as necessary", removing a lot of user agency for the software being ran); Chrome being the biggest driver of this, while Firefox has an extremely weak spine in trying to limit it.
It's fairly dire and I wouldn't be surprised if there's a lot more of these side channel attacks in a lot of web APIs.