[css-variables] Consider specifying allowed size limit of var() expansion

[twilco]

Quoting https://drafts.csswg.org/css-variables/#long-variables:

To avoid this sort of attack, UAs must impose a UA-defined limit on the allowed length of the token stream that a var() function expands into. If a var() would expand into a longer token stream than this limit, it instead makes the property it’s expanding into invalid at computed-value time.

This specification does not define what size limit should be imposed. However, since there are valid use-cases for custom properties that contain a kilobyte or more of text, it’s recommended that the limit be set relatively high.

Should this limit be explicitly set in the spec to avoid compatibility issues?

Gecko currently requires expansions to be 1mb or less, while Chromium and WebKit both set a limit of 65536 tokens.

[Loirooriol]

A limit that would be reasonable today will probably become absurdly low in 30 years.
And then, if we set a limit now, we will either be stuck with it, or break sites that relied on that limit when we raise it.
So it's better to not specify the limit, this makes it less likely that sites will rely on some specific value.
See similar discussion in #3462

[tabatkins]

Yeah, unless there's a strong demand from implementors, I'm inclined to leave it undefined. Both of those limits you cite sound reasonable to me (and are within an order of magnitude of each other; 2^16 tokens probably translates to ~250KB on average, around 1/4 the Firefox limitation).

---

(#3462 is a bit different; it's a pretty small limitation, even if it is much larger than most code will ever run into, so having an agreed-upon min is relatively more important.)

[tabatkins]

Closing this as WONTFIX, please let me know if that resolution is satisfactory or if you'd like the WG to discuss it more.

[twilco]

That works for me. Thanks to you both.