[has-PR] Reevaluate URI length restriction
Issue #1342
resolved
The current SIOPv2 spec states:
The entire URL MUST NOT exceed 2048 ASCII characters.
While URL continue to have limits, these have grown substantially larger in modern browsers and operating systems.
I will do experimentation of the size limits across various browsers and operating systems, but I believe the min max is now over 64kb excluding IE 11. At the OS level, this may be even larger (on the order of MB).
Comments (12)
-
Account Deactivated reporter
-
- changed status to open
Discussed at Sept-30-2021 SIOP special call.
-
Account Deactivated reporter
I believe we should determine the original motivation/process behind this limitation and if we can do testing to propose a new limit.
The browser which I know does still have limitations here is IE11. IE11 has seen obsoletion by Teams within Microsoft, and I believe has a consumer EOL in June 2022. The Enterprise EOL is unfortunately sometime around the heat death of the universe.
-
I’ve tested this a while ago, and I’ve put the results into this google doc.
I can re-start the test service, if people are interested.
-
Issue #1055 may be related to this issue. cf. https://bitbucket.org/openid/connect/issues/1055/limits-on-overall-url-length
-
This is related to issue #1055.
-
Account Deactivated reporter
There hasn’t been any recent discussion on this issue.
For SIOP, where communication is going through the browser/OS only, we have approximately 1MB of URL length allowed as a minimum.
For going through the internet, there is a still a lot of variability and volatility - for instance, changing an intermediary CDN or firewall could institute a max of 2k again.
For URI being represented in QR code, we’ll also have limitations, possibly 3 KB or possibly lower (because of size constraints).
The question is - should we change this text to allow for more data to be sent within SIOP when you are communicating directly via custom URI or universal links/app links, or should we stick to the “min max” of 2048 due to these other limited environments.
-
Suggest we change to
The entire URL is NOT RECOMMENDED to exceed 2048 ASCII characters.and add a note providing some context?
Note that multiple size limitations exist: majority of browsers and mobile OS in general have approximately 1MB of URL length restrictions, while QR codes, intermediary CDN or firewalls might have a lower URL length restriction. -
Account Deactivated
Great suggestion Kristina, big :+1: to your suggested text.
-
-
- changed title to [has-PR] Reevaluate URI length restriction
-
- changed status to resolved
PR #282 merged
- Log in to comment
Doing some browser testing today on macOS Monterey b7 (Safari, Chrome, Firefox 92) and iOS 15.1b1 (Safari) with localhost http URL, the limiting factor appears to be Firefox having a 1 MiB limit on its allocated representation of URI. Path, query and fragments of length 1,000,000 bytes worked across all four.
The limiting factor was finding a HTTP server which didn’t mind receiving 1MB request URL. I eventually used netcat to verify the requests were sent.
This is obviously best-case limits as I’m testing latest versions on bleeding edge OS, but if there is interest in raising the URL limit we can start to create a test matrix.