sammhicks
commented
3 months ago I've decided to remove automatic handling of escape sequences as they're a deprecated "feature" of HTTP and I've never actually seen them in the wild, so to speak. As such, I've removed the list of allowed characters, and have tested with request headers with "{}" characters.
Use case: For unknown reasons, an android app using
okhttpsendsError: {}in the HTTP header. I can't see why curly braces would not be allowed. AFAICT braces should be allowed in header field values, see e.g. RFC9110 5.5. They are certainly common in response field values.