> based on the assumption that legitimate users have no practical need to do multiple encoding of the same text.<p>Things can legitimately be encoded multiple times because encapsulation is a thing and multiple independent stages may each be configured to accept possibly binary input and produce base64 output.<p>You also don't need to re-encode something an unreasonable number of times to get "Vm0wd", all you have to do is start with "Vm0" and base64 encode it twice. "Vm0" only has 24 bits of entropy which means it will regularly occur at random in legitimate data.<p>And then nobody can figure out why "Vm0-Edge-West" isn't working.
I'm not really sure what the threat model is here. If the attacker can control what encoding scheme you use, surely you have much more serious problems than the possibility of wasting space.
> <i>While Base64 encoding is very useful to transfer binary data over the web</i><p>This part I cannot fathom. The era of 7-bit bytes is over. What can possibly justify the need for a "printable characters" encoding now? Something stupid like putting data in a JSON string? What's the next step, base-64 encode the JSON containing that string and put it in an XML tag?
To really crank up the pedant-O-meter, wouldn't it be accurate to instead describe the output growth in point #1 as polynomial, even sub-quadratic?