Field values containing CR, LF, or NUL characters are invalid and dangerous, due to the varying ways that implementations might parse and interpret those characters; a recipient of CR, LF, or NUL within a field value MUST either reject the message or replace each of those characters with SP before further processing or forwarding of that message.
OkHttp(please see this) and many modern web frameworks (like Flask) reject Header values which contain such illegal characters.
However, the server headers folded headers test group adds rigidity by forcing clients to replace invalid characters with space.
I (thanks to @brianquinlan) suggest adding a boolean flag supportsFoldedHeaders to testResponseHeaders() which ultimately lets us skip the test: folded headers
Clients rejecting headers with illegal values can also be considered to be conformant to the HTTP Standard.
According to the current internet standard (RFC 9110: HTTP Semantics),
"\r\n" is invalid
OkHttp
(please see this) and many modern web frameworks (like Flask) reject Header values which contain such illegal characters.However, the
server headers folded headers
test group adds rigidity by forcing clients to replace invalid characters with space.I (thanks to @brianquinlan) suggest adding a boolean flag
supportsFoldedHeaders
totestResponseHeaders()
which ultimately lets us skip the test: folded headersClients rejecting headers with illegal values can also be considered to be conformant to the HTTP Standard.