Can’t you return 408 here with an error message explaining you should delete your cookies? I agree it’s not ideal, but it at least warns the user.
This is a good point, but shouldn’t you return 413 Request Entity Too Large? Or is that strictly reserved for requests where the body is too large?
Seems like you could stretch it to mean the request in general is too large, including headers and the body.
Assuming it’s for the HTML itself. If you can poison just the cdn domain hosting js/CSS, you can break the site in no obvious ways. Browser support for incomplete pages is pretty bad.
This doesn’t seem to work for me on Firefox (not that I find that problematic). The cookies don’t get set.