24289 2014-01-14 07:25:32 +0000 DNS length limits check 2014-01-14 11:45:20 +0000 1 1 1 Unclassified WHATWG URL unspecified PC Linux RESOLVED WORKSFORME P2 normal Unsorted 1 santi annevk mike sideshowbarker+urlspec oldest_to_newest 98403 0 santi 2014-01-14 07:25:32 +0000 Relevant RFC: http://www.ietf.org/rfc/rfc1035.txt -- Domain names in messages are expressed in terms of a sequence of labels. Each label is represented as a one octet length field followed by that number of octets. Since every domain name ends with the null label of the root, a domain name is terminated by a length byte of zero. The high order two bits of every length octet must be zero, and the remaining six bits of the length field limit the label to 63 octets or less. To simplify implementations, the total length of a domain name (i.e., label octets and label length octets) is restricted to 255 octets or less. -- - Maximum label length is 63 bytes. - Although I couldn't find it in the standard, in practice, implementations require a minimum label length of 1 byte except for the root label. - Maximum length in the textual representation (without final dot) is 253. - Maximum number of labels is 127 (not counting root label). This is just a consequence of the other limits. I couldn't find any check for this during URL parsing except for Mozilla, which checks for the 63 byte length limit for labels. This seems for practical purposes (limiting buffer lengths and so on). See http://mxr.mozilla.org/mozilla-central/source/netwerk/dns/nsIDNService.cpp: -- static const uint32_t kMaxDNSNodeLen = 63; [...] if (in.Length() > kMaxDNSNodeLen) { NS_WARNING("IDN node too large"); return NS_ERROR_FAILURE; } -- Note that, despite the warning text, it is done also for ASCII-only hosts. 98409 1 annevk 2014-01-14 10:42:57 +0000 See step 8 of http://tools.ietf.org/html/rfc3490#section-4.1 which is required by URL. 98418 2 santi 2014-01-14 11:21:47 +0000 Alright. I missed it. So no checks for number of labels / total length? 98419 3 annevk 2014-01-14 11:45:20 +0000 In Live DOM Viewer: <a href="http://0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789/">test</a> <script>w(document.querySelector("a").host.length)</script> Seems this check is not implemented in either Chrome or Firefox. I can also get hosts longer than 300 code points. I think for now I'll just let this slide as "not my problem"...