My wife sent a Hallmark eCard to someone today. She picked a format then typed a paragraph or so of text. The length of her prose was nothing out of the ordinary.
Hallmark then generated an email to the recipient and CC’d my wife. In this email was a link to the card. However, it appears to me that Hallmark embeds everything relevant to the card in that URL. The URL that arrived in the email was 622 characters long. It had five querystring arguments, one of which was 422 characters long. (Which, in light of this post, put me into instant convulsions.)
The entire text of my wife’s message was embedded in this big querystring argument. It was encrypted, but it was all there because — not surprisingly — Outlook screwed up the translation URL of that length. When printed in the email, the URL spanned six lines, and when you clicked on it, you got the card but the message was cut off mid-word.
I compared the URL that loaded in the browser with the URL that appeared in the message, found the point where it got cut off, and copied the reaminder out of the message and tacked it onto the URL in the browser — voila — the rest of my wife’s message appeared. Just for giggles, I entered some random text in the URL, and — sure enough — got a section of gibberish in the message.
This whole thing struck me as astoundingly bad form for a company as big as Hallmark, and it got me thinking about maximum URL length. It turns out that there’s a lot of room for long URLs — Internet Explorer’s maximum is over 2,000 characters. I couldn’t find any references to maximum URL length in Firefox, only that it’s “much longer” than IE.
Still, at what point does a URL get out of control? This particular link looked ridiculous sitting in an email. Hallmark even sent the email as plaintext so they couldn’t hide its girth behind an A tag. What would have happened if Outlook put linebreaks in it? How do we not know that’s what happened? (For the record, I forwarded the same email to myself and Thunderbird handled the mammoth URL like a champ.)
Jakob Nielsen says URLs shouldn’t be any longer than 75 characters. He labeled this as a top mistake of Web design in 2002:
Long URLs break the Web’s social navigation because they make it virtually impossible to email a friend a recommendation to visit a Web page. If the URL is too long to show in the browser’s address field, many users won’t know how to select it. If the URL breaks across multiple lines in the email, most recipients won’t know how to glue the pieces back together.
I can’t help but wonder why Hallmark wouldn’t implement something like TinyURL: store the eCard settings in a database, then just tack a GUID onto the back of the URL. Yes, people could try random GUIDs (that post still makes me laugh), but even a 20-digit key would provide enough randomness to stave people off.
Could this be an attempt by Hallmark to avoid privacy issues altogether? I imagine people put some sensitive things in cards they send to people. Is Hallmark trying to stay out of this arena completely by making the whole thing stateless? If everything gets embedded in the URL, and they have nothing on their servers, then they can never be accused of a privacy breach, can they?
I’m left wondering. If anyone has a theory, post it.