Comment 19 for bug 962515

We have three options:
1- File a public "server names over size should return 400" bug and fix it openly in RC2, then calmly do a CRD for stable/diablo
2- Propose the OSAPI server name length patch for coordinated disclosure and complete it just in time for RC2
3- Propose the server name patch AND the sizelimit middleware for coordinated disclosure and complete them just in time for RC2

My issue with solution (3) is that we would push all requests through the new sizelimiting middleware as the very last thing before RC2 publication... which sounds extremely risky to me, that late in the cycle, for the potential benefit of catching unknown other ways of abusing large requests. I'll let Vish decide, but with my release manager hat on, I'd -1 this.

If we don't push the sizelimit middleware in Essex anyway, then I'd rather do option (1) than option (2).
Other opinions ?