This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
Every counter block must have a different value, so the plaintext / ciphertext length is constrained to be no greater than the size of 2^length blocks.
Quality of implementation issue. This is cryptographically no different than discussing entropy of primes. We discuss this at every F2F it seems, and at every F2F we seem to reach consensus that it's NOT reasonable for an implementation to, for example, 'remember' every IV that was used with a given key. As such, this is at best a "prevent you from doing crypto bad", which we've agreed is not an acceptable justification in and of itself. I can think of no possible implementation that, within space and time bounds, can reasonably provide these assurances over a generic API such as Web Cryptography.