So, there's just one token and no place for an implied LWS. [ situation differs from "between any two adjacent words (token or quoted-string)" ]
So, as PR 16520 states:
Authorization : scheme scheme param=value
is a valid header and should be treated as
Authorization: scheme scheme param=value
So these are not the same headers, by my reading of the RFC. In fact the former is a Bad Request, since a token cannot contain WS.
nd
I wasn't 100% sure myself whether the LWS was allowed after the header name... But is reporting a bad request not a bit drastic if removing the LWS can make it compliant? This will make the server more lenient towards malformed header names.
But one of the two (stripping LWS or blocking request) should be done because, IMHO, this is a serious security issue. There are back-end servers (in case Apache is used as a proxy) that strip white space from front and end of header names. In that case Apache and the back-end will see different requests (e.g. the Authorization header).
--
