15 comments

[ 3.3 ms ] story [ 37.7 ms ] thread
Did not crash Firefox nor Chrome for me on Linux.
Crashed Chrome tab on Windows instantly but Firefox is fine. It shows loading but pressing Ctrl + U even shows the very start of that fake HTML.
I can imagine the large scale web scrapers just avoid processing comments entirely, so while they may unzip the bomb it could be they just discard the chunks that are inside of a comment. The same trick could be applied to other elements in the HTML though: semicolons in the style tag, some gigantic constant in inline JS, etc. If the HTML itself contained a gigantic tree of links to other zip bombs that could also have an amplifying effect on the bad scraper.
Crashed 1password on safari haha
Note: the submission link is not the zip bomb. It’s safe to click.
Neat approach. I make my anti-crawler HTML zip bombs like this:

    (echo '<html><head></head><body>' && yes "<div>") | dd bs=1M count=10240 iflag=fullblock | gzip > bomb.html.gz
So they're just billions of nested div tags. Compresses just as well as repeated-single-character bombs in my experience.
Safari 18.5 (macOS) throws an error WebKitErrorDomain: 300.
Crashing Safari on iOS (not technically crashing the whole app, but the tab displays internal WebKit error).
Imagine you‘re a crawler operator. Do you really have a problem with documents like this? I don’t think so.
For every 1 robots.txt that is genuinly configured, there's 9 that make absolutely no sense at all.

Worse. GETing the robots.txt automatically flags you as a 'bot'!

So as a crawler that wants to respect the spirit of the robots.txt, not the inane letter that your hired cheapest junior webadmin copy/pasted there from some reddit comment, we now have to jump through hoops such as geeting hhe robots.txt from a separate vpn etc.

If you try to do that on a site with Cloudflare, what happens? Do they read the zip file and try to cache the uncompressed content to serve it with the best compression algorithm for a given client, or do they cache the compressed file and serve it "as is"?
That content shift on page scroll is horrendous. Please don't do that, there is no need to auto hide a side bar.
I dislike that the websites sidebar all of sudden collapses during scrolling, it shifts all the content to the left in middle of reading