Define what consequences NULL bytes (0x00) or other invalid values in header names have

[JannisBush]

What is the issue with the Fetch Standard?

A header name has to match the field-name syntax (which is token) and does not allow all kind of values such as 0x00.
The specifications do not seem to specify however how to deal with invalid header names.
Should the whole response be discarded (network error)? Should only the invalid header (line) be discarded? Should the Null byte simply be ignored or treated as a space?

Example URL with 0x00: Example

• Chromium: ERR_INVALID_HTTP_RESPONSE
• Firefox and Safari: load, the invalid header seems to be ignored (it is not visible in devtools in Firefox, it is visible in Safari)

Related:

• For field-values the conclusion seems to be 0x00 is not allowed and should result in a network error: Why does headers-normalize-response.htm expect null bytes to be allowed? xhr#165
• Tests in WPT that test for 0x00 in header values but not in header names: XMLHttpRequest: response header value containing 0x00 web-platform-tests/wpt#10424

[annevk]

I think this can be folded into #1156, right?

One tricky aspect here is that at least Chromium and perhaps other browsers as well have different parsing between HTTP and HTTPS so tests need to take that into consideration. And writing (tentative) tests is probably what we need to start with before we can require things in Fetch one way or another. If you're interested in writing tests for the cases mentioned in that issue that'd be most helpful.