Vertical Tabs (0x0b) are interpreted as whitespace for both XFO and CSP even though the specification require ascii-whitespace [CSP](https://w3c.github.io/webappsec-csp/#framework-infrastructure) or HTTP whitespace [XFO](https://fetch.spec.whatwg.org/#http-whitespace) that both do not contain VT. - Example 1: `CSP: \vframe-ancestors 'none'` [URL](http://sub.headers.websec.saarland/_hp/tests/framing.sub.html?resp_type=parsing&browser_id=1&label=CSP-FA&first_id=6265&last_id=6269&scheme=http&t_resp_id=6269&t_element_relation=iframe_direct&t_resp_origin=https://headers.webappsec.eu) - Example 2: `CSP: img-src\v 'self'`[URL](http://sub.headers.websec.saarland/_hp/tests/subresource-loading-csp.sub.html?resp_type=parsing&browser_id=1&label=CSP-IMG&first_id=29354&last_id=29358&scheme=http&t_resp_id=29354&t_element_relation=iframe_direct&t_resp_origin=https://headers.webappsec.eu) - Example 3: `XFO: DENY\v`[URL](http://sub.headers.websec.saarland/_hp/tests/framing.sub.html?resp_type=parsing&browser_id=1&label=XFO&first_id=3630&last_id=3634&scheme=http&t_resp_id=3633&t_element_relation=iframe_direct&t_resp_origin=https://headers.webappsec.eu) Chromium has the same issue. Firefox does not strip \v and interprets all these examples as invalid.