Allow configuring or disabling max cookie size check

[davidism]

Continue #780

• use arg instead of const for dump_cookie max_size
• add max_cookie_size attr to BaseResponse
• add changelog

[untitaker]

LGTM, might need a testcase for custom values though

[davidism]

The error is slightly confusing because you can pass 4093 bytes as the value and still get the error, since the options are added to the payload. I don't think we need to change it, just pointing it out.

[untitaker]

I think we should elaborate the error message because of this. In Flask it might make sense to only enable this limit in developer mode, and rather try not to crash in production.

…

On Tue, Apr 18, 2017 at 08:37:40AM -0700, David Lord wrote: The error is slightly confusing because you can pass 4093 bytes as the value and still get the error, since the options are added to the payload. I don't think we need to change it, just pointing it out. -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: #1109 (comment)

[davidism]

Maybe this should be a warning? Could use a filter to turn it into an error in Flask debug mode.

[davidism]

How about detecting the before and after version, then warning

The "{key}" cookie is too large: the value was {value_size} bytes but encoding the header required {header_size - value_size} extra bytes. The final size was {header_size} but the limit is {max} bytes. Browsers may silently ignore cookies larger than this.

[untitaker]

Sounds good

…

On April 18, 2017 6:24:54 PM GMT+02:00, David Lord ***@***.***> wrote: How about detecting the before and after version, then warning "Cookie too large: value was {value_size} bytes but header required {header_size - value_size} extra bytes. The final size was {header_size} but the limit is {max} bytes. Browsers may silently ignore cookies larger than this." -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: #1109 (comment)

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

[Jaza]

Thanks @davidism for making this configurable, there should be need to override the limit of 4k per cookie in most cases, but yes, some people might want to change it.