http2: clarify field-value grammar in doc; reject DEL in field value

(addressing review comments from Ralph Corderoy in
https://golang.org/cl/18728)

Change-Id: I22457a6f768f9136a0e6b84964f0eaf33983c75f
Reviewed-on: https://go-review.googlesource.com/18801
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ralph Corderoy <ralph@inputplus.co.uk>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

http2/http2.go

@@ -193,6 +193,8 @@ func validHeaderFieldName(v string) bool {
 // validHeaderFieldValue reports whether v is a valid header field value.
 //
 // RFC 7230 says:
+//  field-value    = *( field-content / obs-fold )
+//  obj-fold       =  N/A to http2, and deprecated
 //  field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
 //  field-vchar    = VCHAR / obs-text
 //  obs-text       = %x80-FF
@@ -212,7 +214,7 @@ func validHeaderFieldName(v string) bool {
 // strings that begin or end with SP or HTAB.
 func validHeaderFieldValue(v string) bool {
 	for i := 0; i < len(v); i++ {
-		if b := v[i]; b < ' ' && b != '\t' {
+		if b := v[i]; b < ' ' && b != '\t' || b == 0x7f {
 			return false
 		}
 	}

http2/server_test.go

@@ -864,6 +864,10 @@ func TestServer_Request_Reject_HeaderFieldValueCR(t *testing.T) {
 	testRejectRequest(t, func(st *serverTester) { st.bodylessReq1("foo", "has\rcarriage") })
 }
 
+func TestServer_Request_Reject_HeaderFieldValueDEL(t *testing.T) {
+	testRejectRequest(t, func(st *serverTester) { st.bodylessReq1("foo", "has\x7fdel") })
+}
+
 func TestServer_Request_Reject_Pseudo_Missing_method(t *testing.T) {
 	testRejectRequest(t, func(st *serverTester) { st.bodylessReq1(":method", "") })
 }