Bug 367373 [mozilla.org] - DOM storage quota should exclude offline-app allowed domains
The mechanism implemented, however, is based on the -host- name which allows a malicious site to abuse the storage space by creating sub-domains. The spec warns against this too:
User agents should consider additional quota mechanisms (for
example limiting the amount of space provided to a domain's subdomains
as a group) so that hostile authors can't run scripts from multiple
subdomains all adding data to the global storage area in an attempted
denial-of-service attack.
ご参考 (スコア:4, 参考になる)
Bug 367373 [mozilla.org] - DOM storage quota should exclude offline-app allowed domains
6年前の仕様で既に警告されていたらしい (現行の仕様 [w3.org]だと"subdomains"ではなく"multiple domains"だけど)。