[ac130kz]

>URLs up to ~2000 characters

Exactly, this approach doesn't scale well without trickery involved. You have to have some sort of weird encoding in place to compact it down.

[rbinv]

Yup, ASP's "__VIEWSTATE" hidden form parameter comes to mind. It was base64-encoded and POSTed because it could get loooong (hundreds of KB).

Terrible for browser navigation/refresh though, because pretty much everything was a form POST. Thus no URL state sharing, either.

[bux93]

Also a terrible idea to execute code from the client, even if it's supposedly signed.

https://darkatlas.io/blog/critical-sharepoint-vulnerability-...