Escaped string and backslash not web compatible

[miketaylr]

Based on Chrome's experimental roll-out of Sec-UA-CH we've concluded that \\ and \" in the arbitrary brand value is not web compatible.

The biggest hurdle (we're aware of) is the ESAPI library, which would require a re-write to handle these escaped chars correctly.

• 1145279: 404 on soundtransit.org
  • This is caused by the \ and \”, removing them fixes the issue.
  • Worth noting “X-Generator: Drupal 8 (https://www.drupal.org)” in the 200 response -- they’re probably not using ESAPI (unless they have a hybrid PhP / Java stack)
• ESAPI rejects requests due to \ and \”
  • https://bugs.chromium.org/p/chromium/issues/detail?id=1142532
  • https://bugs.chromium.org/p/chromium/issues/detail?id=1140849
• ESAPI multiple encoding issue (filed mentioning Chrome explicitly)
  • Multiple encoding issue for Google Chrome ESAPI/esapi-java-legacy#574
• 1144295: LiveSite blocking UA-CH as multiple encoding breaking www.leedsbuildingsociety.co.uk and probably more sites.
• 1147471: Unable to get business insurance quote on https://smallbizquote.thehartford.com/
  • The server is rejecting any quote in a header value
  • They’re also using ESAPI, it turns out

For now, we're unshipping the escaped chars from Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=1149575

The spec should be updated to reflect what's safe to ship on the web (without breaking it).

Note: This will obsolete #114