- From: Martin Thomson <mt@lowentropy.net>
- Date: Fri, 25 Oct 2024 21:44:40 +1100
- To: ietf-http-wg@w3.org
I'm in the process of writing yet another implementation of RFC 9292 (this time with incremental decoding) and I realized that in this setting I need to start caring about size limits in a more granular fashion. It's one thing to parse a block of memory that you are given, but it's a different matter if you are dealing with streams of indeterminate length. We recommend that URLs of at least 8000 characters are accepted [1], so it might be reasonable to limit that to 8k. But then, in HTTP/2 and HTTP/3 and RFC 9292, the URL is split. How big can a URI scheme be? RFC 3986 doesn't say. 8k for that seems a bit much. The registry has some long ones though, so maybe I could be conservative and say 256 bytes. How big can an authority be? I know that hostnames aren't domain names, but maybe I don't care about other types of name. Domain names can't be more than 255 bytes and a port number can always fit in 5 bytes, so is the limit 261? Or does the prospect of having to carry IDN lead to a need for more than that in corner cases? The path seems like an easy choice: 8k. How big can a method be? RFC 9110 doesn't say. Even 32 bytes seems generous when the registry never hits 20, but is that really what we want? Should minimums for these be standardized, or are we all comfortable with rolling the dice? Cheers, Martin [1] https://datatracker.ietf.org/doc/html/rfc9110#section-4.1-5
Received on Friday, 25 October 2024 10:45:05 UTC