Limit Collection page sizes somehow?

[strugee]

On IRC, saranix points out that "4GB inboxes are possible, completely unpaged is allowed, and any page size is allowed, the server can do whatever and the client is just supposed to be able to handle it... I think that's way too open-ended"

It seems like no sane server would ever do this, but maybe we should put something in the spec about it anyway, just in case?

• saranix proposes allowing the client to dictate max page size
• I think that perhaps we should just put a warning about this in Security Considerations and tell clients to drop replies on the floor if they're ridiculously big
• Maybe just mandate a max page size? But that seems too implementation-specific
• Or maybe we could just put in something vague like "servers MUST take care to choose page sizes that will not overwhelm clients."

[strugee]

Something similar applies for object recursion - a full object is obviously much bigger than a URL to an object so if the server is too aggressive about recursing through objects, the response size can balloon. We've kind of already raised this in #229 - not sure if we should change that, do something else, etc.

[akuckartz]

The size of HTML documents also is not limited by the specification. Should it be? I do not think that this would help.

[strugee]

Yeah, as I said I feel the same. I think we should just put something in security considerations. At the end of the day if you connect to a server that does bad stuff like this there isn't much we can do in the spec itself about that.

[cwebber]

Yeah I think it should go in security considerations. I'd be good with that.

[strugee]

@cwebber want me to do a PR for this one?

[cwebber]

Sure! That would be great.

[strugee]

Forgot about this! But filed #252 :)