While I maintain that repurposing OPFS as a measure of SSD usage by this method is unrealistic even under optimal conditions, I gotta admit I’m surprised by the lack of throttling and resource quotas.
That is, assuming the API is enabled by default
Typically niche-use-case and high-performance APIs that aren’t hidden behind experimental flags require user permission by default (a practice solidified by mitigations of other exploits like mining, fingerprinting, etc) so to find one open and apparently unregulated by default does seem unusual, if true.
But if it’s gated by a flag or user permission, I don’t know why the fuck they’d bother to publish this.
ETA: Either way, I suspect any user vulnerable to this exploit is likely already exposed to much worse from attacks that are similarly inelegant but far more reliable. Those users are already heavily profiled in many datasets. I mean, no one here… hopefully.
You’re not wrong. But on the other hand, do we really need a browser API for measuring a user’s SSD usage?
While I maintain that repurposing OPFS as a measure of SSD usage by this method is unrealistic even under optimal conditions, I gotta admit I’m surprised by the lack of throttling and resource quotas.
That is, assuming the API is enabled by default
Typically niche-use-case and high-performance APIs that aren’t hidden behind experimental flags require user permission by default (a practice solidified by mitigations of other exploits like mining, fingerprinting, etc) so to find one open and apparently unregulated by default does seem unusual, if true.
But if it’s gated by a flag or user permission, I don’t know why the fuck they’d bother to publish this.
ETA: Either way, I suspect any user vulnerable to this exploit is likely already exposed to much worse from attacks that are similarly inelegant but far more reliable. Those users are already heavily profiled in many datasets. I mean, no one here… hopefully.