Should we add `InvalidHeaderValue` and return it for invalid maybe malicious header values like `X-Foo: \x80\x81

[Agent-Hellboy]

Currently, we're ignoring invalid and potentially malicious header values.
I’m not sure if proxies should handle this or if the framework should take care of it, but I think Gunicorn could consider adding a check here:

https://github.com/benoitc/gunicorn/blob/master/gunicorn/http/message.py#L70

...and raise a specific error that can be captured and handled here:

https://github.com/benoitc/gunicorn/blob/master/gunicorn/workers/base.py#L206

please check https://www.rfc-editor.org/rfc/rfc9110.html#name-field-values

[pajod]

Those are obsolete, not invalid. And without additional justification, Gunicorn should tolerate them.

A recipient SHOULD treat other allowed octets in field content (i.e., obs-text) as opaque data.

Historically, you could send \x80-\xFF in field values just fine. An existing Gunicorn deployment may even depend on it, so compatibility is a serious concern - which gets really annoying in the context of headers that work like Cookies containing non-ASCII characters.

Do you have any specific problem in mind that may serve as sufficient justification to break rare but previously working setups?