Also keep in mind that the contents of contracts end up in ACS caches, application databases, participant databases, and need to be loaded into memory in every transaction that fetches the contract.
Store what you need to store on the contract—there is no hard limit—but unless the contents of the data are necessary to manage the control-flow in a choice you don’t need to store it on the contract. If this is something that doesn’t affect control-flow, then I would recommend (URL, SHA256Hash) or (URL, SHA256Hash, AuthToken) as the sort of type you should be storing instead.