data limit on chrome.storage.local

Question

It is my understanding that there is no hard limit imposed on saving to

chrome.storage.local

so long as the unlimited storage permission is set. Is this true? Doesn't that endanger the sandbox, by allowing a malicious developer to flood someones hard drive merely by asking for an innocent sounding permission?

Answer 1

By default, it is limited to 5 MB in Chrome, but it is true that the limit can be disabled by the unlimitedStorage permission.

To quote the documentation of chrome.storage.local:

QUOTA_BYTES

5242880

The maximum amount (in bytes) of data that can be stored in local storage, as measured by the JSON stringification of every value plus every key's length. This value will be ignored if the extension has the unlimitedStorage permission. Updates that would cause this limit to be exceeded fail immediately and set runtime.lastError.

It is correct that the WebExtension API in combination with unlimitedStorage allows to fill up the disk. That is why it is recommended to install only trusted extensions. Yet for malicious extensions, I would be more concerned about the data that they could send out (e.g. stealing credentials). Or that they can redirect users to phishing sites. Like malware, which is capable of filling up the disk, but typically chooses other - more harmful - attacks.