[Matthias247]

With HTTP/2 you can theoretically even transmit bytes with all binary values inside them in both names and values - since the values are length-delimited.

Based on that, some implementations seem to restrict allowed values to the rules that you describe, while others don't.

[missblit]

Yeah, and really the moral of the story shouldn't be (just) to get good at parsing, but to assume that any two parsers may disagree on how to parse a piece of data as part of your security model.