Closed
Description
I mostly know about browsers and didn't test other clients. When sending browsers effectively allow all byte values, except 0x00, 0x0A, and 0x0D.
When receiving 0x00 is also allowed, though Chrome started outlawing that recently and it seems like it might stick.
As far as I can tell field-value is quite a bit more restrictive. I wonder whether that should be reconsidered.
(I originally brought this up in #19.)
(I also haven't tested obs-fold that I remember. I don't think there's a way to force browsers to send headers like that, but receiving is a thing that probably ought to work and likely does.)